URL in image based FedEx emails downloads Postal-Receipt.zip trojan

MX Lab, http://www.mxlab.eu, is intercepting image based emails regarding a FedEx parcel delivery issue with an URL that downloads the file Postal-Receipt.zip.

The email is send from the spoofed address “Express Mail”, “First Class Mail Service” or similar. The subject is in the format:

Number (446)20-446-446-7330-7330
Tracking Number (T)QGC78 019 239 7310 8313

The message has the following body:

the embedded URL behind the image will lead you to hosts like hxxp://www.powerkiteshop.com/QRLSLTDMKI.php?php=receipt, hxxtp://anistarr.com/job.php?php=receipt or similar.

The downloaded file is Postal-Receipt.zip and once extracted contains the file Postal-Receipt.exe.

The trojan is known as BackDoor.Generic_r.ARH, Gen:Variant.Symmi.7362, Trojan-Downloader.Win32.Kuluoz.abp, Ransom-AAY.gen.q and others.

At the time of writing, 13 of the 46 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 48e5385705400fda8198cf426abaffa7a627f596720e0ab420ff4e4cfe93a5f4.

18 thoughts on “URL in image based FedEx emails downloads Postal-Receipt.zip trojan

  1. I did click on the link but closed the window before it came up do you think it could have downloaded. If yes what type of virus is this? Please help……..

    • usually its not enough to simply download the file, as long as you didn’t execute the .exe you should be fine. but update your antivirus and scan your computer as a safety measure.

    • Download Malwarebytes at http://www.malwarebytes.org from another computer. There are two versions. Download the free version and copy to a CD or a memory stick. Boot the infected computer. While the computer is booting, continually tap “F8” key. This will take you to a menu with boot choices. Arrow to “Safe Mode” and hit Enter. After the Safe Mode boot, you will notice larger than normal icons on the desktop. Don’t worry, this is normal. Put the CD or memory stick into the infected PC and locate the file you downloaded. I downloaded this file January 22, 2013 and the file version was named “mbam-setup-”. Run this file by double-clicking it. Choose your language during the setup. (I opted not to install the trial version of Malwarebytes Pro). After it is installed, it will ask you to update. I ignored this as I was disconnected from the internet (to keep the virus from getting more “ammo” to ruin the computer). Run the “Full Scan” and choose the drive you wish to scan (Usually “C” drive). After about an hour, you will see a report of what Malwarebytes found. Click on “Show results” (hope that’s the right wording). You will be prompted to quarantine the infected files. Reboot the mostly cleansed computer. Once rebooted, (be sure you reconnect your internet) open Malwarebytes again and click the “Update” tab. Once updated, run the full scan again. You’ll probably find a few more gremlins. If you are grateful at the free help, you can purchase the Pro version of Malwarebytes for about $30.00. In their words “The PRO version of Malwarebytes Anti-Malware monitors every process and stops malicious processes before they even start.” I have used this program numerous times to rid various computers of stuff the “big boys” of virus protection never seem to find. It also works very well to delete tool bars in Internet Explorer that never seem to go away. Best of luck! This is a nasty virus (worm, actually)! My mother-in-law learned a valuable lesson, and is now back playing online games….lol.

  2. I ran it now worried, I was expecting a package from FedEx so I opened and ran the EXE. only to find out it was a bad idea. This is on a PC. Now what do I do??

    • Don’t trust it. Many times your antivirus is fooled into telling you that it did take care of a threat-will even brag about it. Get something else to scan you like superantispyware or malwarebytes. TDSS Killer. all are free google them, and run them they should fix you up. Never EVER take a email for granted. Fed ex would NEVER want you to have to DOWNLOAD anything, And if your read the email-the wording is BAD. It happens to everyone, Some you don’t even have to run for them to get ya. Downloading is enough sometimes. Just don’t trust Mcafee, They suck. I have fixed many computers of serious viruses with the freebies that Mcafee let through.

    • I DID NOT “fall” for this a I am not a moron…..on the other hand, I am not a computer GEEK either! Hope you have better parenting
      in your next life Oh Mighty Genius gammafunction. Try to be helpful, not condescending next time- Get it??? Just saying

    • What an ass.

      Anyone can fall for computer trickery in an off moment; late night scanning of emails, or simply the careless stroke of a key.

      So park yourself back under the bridge Trollius!

  3. I have a MAC…thank you for the informative mbzdmvp! I also was expecting a package but decided to Google the “Download Postal Receipt”… that action took me here! For other people that are not sure of how to check validity of a malicious email, try sites like
    FBI — New E-Scams & Warnings- http://www.fbi.gov
    Just suggesting, not sure if they will help but snopes and google have helped me in the past….

    Stay Clean! =]

  4. Thank you, thank you. I usually recognize these fraud emails but I just wasn’t sure this time so I Googled for the .exe in the .zip file and you saved me in the nick of time!

  5. Sadly Malwarebytes failed to detect this malicious threat, Only a sleect few anti-virus or anti-malware seem to work effectively in detecting this specific threat

Comments are closed.