Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered:
|Print your receipt!|
Subject: Shipping Information
Content:FedExTracking ID: 1795-21492944Date: Monday, 18 February 2013, 10:22 AMDear Client,Your parcel has arrived at February 20.Courier was unable to deliver the parcel to you at 20 February 06:33 PM.To receive your parcel, please, print this receipt and go to the nearest office.Print ReceiptBest Regards, The FedEx Team.FedEx 1995-2013
The 'Print Receipt' button points to a filesharing website, where a ZIP file gets downloaded. Inside the ZIP is an EXE file with a neat little Word icon. When running the file:
|Postal Receipt information|
You get a Notepad file with some information. Is your name Mark Smith? No? Then you're infected. Is your name Mark Smith? Then you're infected anyway.
Does this behaviour look familiar? Well noticed, we've seen this in a post from some months ago:
|Gathered files. Contact me for a copy.|
Some more details about the downloaded file:
The following file was dropped in the %appdata% folder:
The malware tries to connect to the following IPs:
It performs the following GET request on port 8080, probably to download more malware.
(I was however unable to reproduce any additional droppers or system modifications): /509A37A363A4A88C8B6BBD234F063B9CEE4072C470F04B0AB239C05FF89DA4B98D1E54BF77C0CD96CD8BC4004B3459C13194D0F9E0D64CF108A635F7468E817F408A20EF7149233F1356D2B3565F49
- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Have you indeed ordered something? Check the status of it directly on the supplier's website.
- Don't be fooled by the Adobe or Word icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
Enable Viewing of Filename Extensions for Known File Types
- Install an antivirus and antimalware product and keep it up-to-date & running. In this case, the payload is at least 4 months old! This should be easily detected by your antivirus product.