Trojan variant distributed in image based email regarding non delivery of parcel by UPS


MX Lab, http://www.mxlab.eu, intercepts image based emails regarding failed package deliveries by UPS due to a faulty recipient address. The emails have different subjects like:

Error in the delivery address ID#7277
Failure to deliver ID #92198
Print your postal label
UPS delivery refuse ID #4714
You should come to the post office
Your delivery status has changed
….

The email is send from the spoofed address “UPS Services <details@ups-us.com>” and has the following body:

Behind the image is a URL in the format: hxxp://buzzstar.co.uk/JUVNEFNQVI.htm. This will download the file named Label_Copy_UPS.zip and contains the 78 kB large file Label_Copy_UPS.exe.

The trojan is known as Spyware/Win32.Zbot, Trojan-Downloader.Win32.Kuluoz.z, Mal/NecursDrp-A, WS.Reputation.1, TROJ_GEN.F47V0815.

At the time of writing, 9 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 04d1972dc3148b280ca65312e49faa7082924dadba66b61f2c3fce44703eaefb.

5 thoughts on “Trojan variant distributed in image based email regarding non delivery of parcel by UPS

  1. I unfortunately managed to click on the link while on my ipad. From my research thus far, it seems this is a trojan targeting windows machine. When I clicked on the link nothing happened. No downloads, etc. What are the chances of my ipad being effected?

  2. Thanks for the info. I just received this email. Look exactly like what is posted here except the url connected to the image is hxxp://www.circleconsulting.com/DSLHWVAXWN.htm. Since I’m running Linux nothing happens when clicking on the Label_Copy_UPS.exe file, which in my case is 109.5 KB

    • I had the same exact experience Microsoft Essentials full virus scan found nothing. No evidence of any payload (my click on the label download was within AOL.com, and even though I overrode the barriers, I got no response that I could find in terms of any download according to download manager or any exterior search of my Windows 7 Pro files.

  3. My sister in law clicked on the print function and this thing took over. It deleted the user info on windows 7 and erased almost all ability to get access to it. I did however suspend the system host processes it was using (with Process Explorer v14.12 rather than the task mangager) to be able to regain control of the computer. It killed a 7 hour battery in less than an hour and the laptop got so hot it was almost untouchable. It deleted all system restores as well. She got it on her AOL mail account as well and Microsoft Essentials did not detect or find it on a full system scan. Good thing it was my 11 year old daughters computer. My sister in-law did try to access it on her smart phone at first but nothing happened. The file name was label_copy_ups-1.zip with http://www.globos.co.rs. the file size was 38.69kb. This is the info she got off the failed attempt on the phone. The image was acording to my sister inlaw like the one above. We are currently booting the system on a bootable cd and copying the hard drive. Our intent is to do a factory restore and recover only the data files if and as needed from the copy put on a portable hard drive. This is our best choice because it’s a 11 year olds laptop and that god not my work computer in the same house.

  4. One other thing, It’s activities using the svchost.exe were seen in process explorer under the tcp/ip tab. It was sending things out to mailing addresses and accessing various IPs as fast as it could scroll up the screen. It was using Muliple svchost.exe processes and it created at least one findable new user entry/section in the registry. Control panel, my computer, internet explorer and almost all other start menu programs that you would use to see what was going on were deleted. some/most not findable with a file search. the control panel at first was searchable but shortly after became at least not findable. It did use 98% of the cpu until it was suspended but was not clearly defined/located in task manager. it was however easily seen with the Process Explorer v14.12. Hope this info helps others how have the miss fortune to get this variation of the virus.

Comments are closed.