Trojan masked as a FedEx Agent File Form


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects like:

FedEx: AGENT FILE FORM, Fri, 18 Nov 2011 08:55:14 +0900
FedEx: New Agent File Form, trackid: DFP0W0G3ETL62005

The email is send from the spoofed address “FedEx Express <noreply@fedex.com>” and has the following body:

The FedEx Export AgentFile form replaces the paper SED which is no longer required by the US government. All EEI shipments must be filed electronically with the government prior to tendering the shipments to FedEx. For all future shipments that require an EEI, please complete and sign the attached form and fax it to (866) 879-9037 or you may email your request to mem-agentsed@mail.fedex.com. An ITN (internal transaction number) provided by the government will be communicated to you via your choice of: phone, email or fax. The ITN must be written on your AWB or label. The ITN indicates that the shipment has been submitted to the government and approved to export.

Also, listed below for your convenience is the US government website for Schedule B numbers. Should there be any doubt of the commodity number being provided on the SED Agent File form, please taken advantage of this valuable resource.

Thank you for choosing FedEx,

Manifesting Ops Asst.
FedEx Express
EEI Department/AES Processing
2927 Southwide Bldg B
Memphis, Tennessee 38118
Tel: 866 352-3252 (Opt. 2)
Fax: 866 879-9037

The attached ZIP file has the name FedEx-AgentFile-Form-nov-2011-8447.zip and contains the 190 kB large file FedEx-AgentFileForm.exe.

The trojan is known as Spyware/Win32.Zbot (AhnLab-V3),  Artemis!01CD13A561FF (MacAfee), WS.Reputation.1 (Symantec)

At the time of writing, only 5 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and MD5: 01cd13a561ff5396604b8718e911b49f.

7 thoughts on “Trojan masked as a FedEx Agent File Form

  1. I just got one of these as well. It looked surprisingly legitimate (although there were certain tell-tale signs, including an immediate origin in the headers of an SMTP server in Argentina) given FedEx’s normally obscure communication style.

  2. What flagged me for this particular email was the last sentence, “…please taken advantage of this valuable resource.”

  3. My email is crashing constantly because of this virus. Can anyone assist me in removing it from my system? I really appreciate it.

  4. Received the same email this morning. The “From” field is “noreply@fedex.com” but the language and format of the email appeared suspicious so I searched the Internet and found this page before clicking the attachment. To my knowledge, FedEx has never sent a zip file to all its customers in this manner.

Comments are closed.