MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “United Parcel Service notification
The email is send from the spoofed address “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:
The message has the following body:
The parcel was sent your home address.
And it will arrive within 7 business day.
More information and the tracking number are attached in document below.
© 1994-2011 United Parcel Service of America, Inc.
The attachedZIP file has the name UPSnotice.rar and contains the 16 kB large file UPS notify.exe.
The trojan is known as BDS/Hostil.F.9 (Antivir), TrojanDownloader:Win32/Chepvil.I (Microsoft), Mal/Bredo-K (Sophos), Backdoor.Cycbot (Symantec).
The following files will be created:
The trojan can establish connection with the IP 188.8.131.52 on port 80 and data will be obtained from following URL hxxp://184.108.40.206/lol2.exe.
At the time of writing, only 20 of the 43 AV engines did detect the trojan at Virus Total.
Virus Total permalink and MD5: cc040e69121bc19f23ef4a32dbb8a80e.