Wednesday, February 9, 2011

United Parcel Service notification #82929

Today I received an email with the subject "United Parcel Service notification #82929"

Apparently my order was sent to my home address and now they are sending me an email with additional information. How kind of them :) .



You can supposedly find more information in attachment


The text is mostly the same, here's a small variant:
Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.



There is a file attached called "USPS_Document.zip" Other variants may be: "UPS_Document.zip", "UPS.zip", "UPS-tracking.zip", and so on. In the ZIP archive you will find a file called UPS_Document:


UPS_Document.exe


What stands out here is that the file is no PDF file, as you might think, but is in fact a malicious executable.


UPS_Document.exe
Result: 38/41 (92.7%)
MD5: 047bcd79fa681442b37bdf9b56c2257f


UPS.exe


Result: 17/43 (39.5%)
MD5: a668f20228e37a12bc033f5e2c014007
VirusTotal
ThreatExpert



Other subjects of this email might be:
- United Parcel Service notification #[random number]
- UPS Delivery Problem #[random number]
- UPS notification #[random number]
- United Parcel Service
- Post Express Service. Track your parcel! NR[random number]
- Post Express Information. You need to get a parcel NR [random number]
- UPS ticket #[random number]



Conclusion

You should never trust an email which has:

- only a URL included in the message
- an attachment that you need to open to view 'information'
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, simply delete it and don't look back ;) .

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Additionally, if you have executed the file, and believe you are infected, you can follow this guide to remove the malware:
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial

Feel free to add any comments if you have any problems or questions.

8 comments:

  1. thank you, i just get an email notification. I will not open it.

    ReplyDelete
  2. Thank you for teaching me

    ReplyDelete
  3. You missed out on some great fun by not opening that attachment. Someone here did :( and the result was a nice blue desktop background with lots of 1010101's and some text warning about how the computer's security is now compromised, explaning how it works by uploading data when you connect to the net, and that one should get an antivirus asap. Plus a stupid program launches with windows startup and pretends to scan some files and find them infected. Plus the usual stuff, no working task manager, no other programs starting anymore, no ctrl-alt-del, no working AVG, no ..., no ...

    I was hoping to find an easy way to get rid of it, but I guess I'll just reinstall windows.

    ReplyDelete
  4. I am so grateful that you posted this. I just received this suspicious email today, and thought to check google. Thank you again!

    ReplyDelete
  5. You're welcome everyone.

    @Anonymous, MARCH 4, 2011 11:09 PM:

    There are guides on the internet that can help you remove the virus (in this case: rogueware).

    Following this guide will help you in solving the problem:
    http://www.bleepingcomputer.com/virus-removal/remove-system-tool

    ReplyDelete
  6. hi there u just saved me from getting hacked! had same email today..had so many now claiming to be bank account alerts, papypal alerts, ebay etc! can see atr8 thru them now! thanku for the heads up!

    ReplyDelete
  7. yea there is so many spam mail are coming in our mail box, these all are like as you have defined above.

    ReplyDelete