“USPS – Missed package delivery” email contains trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “USPS – Missed package delivery”

The email is send from the spoofed address “USPS Express Services <service-notification@usps.gov>” (note: on the SMTP level the from address is fraud@aexp.com) and has the following body:

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 650644310382

Print this label to get this package at our post office.

Please attention!
For mode details and shipping label please see the attached file.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
USPS Logistics Services.

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

The attached ZIP file has the name USPS_Label_650644310382.zip and contains the 25 kB large file USPS_Label_03102013.exe.

At the time of writing, 0 of the 48 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 909f2da52adff3a72e8bafb0eb925be6352a5e02a523519085a119824f15c2e1.

3 thoughts on ““USPS – Missed package delivery” email contains trojan

  1. I opened the attachment this morning. How do I make sure everything malicious is removed from my computer?

    • On our blog we have a few links towards security tools that will scan your computer. Run them and see if you still find any traces of the virus to be removed.

      The only problem at this time, is that the anti virus engines haven’t detected this virus yet (all the anti virus engines on Virus Total provide no detection for this when I submitted a sample). This may change within the next few hours when new anti virus definitions and updates are rolled out.

      • Thanks for replying. I’m running the Iolo virus & spyware scan now. I did find an application file in the Temporary Internet File folder named: USPS_Label_03102013″ which I’m sure is the malicious file.

Comments are closed.