Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered:
Print your receipt! |
Mail details:
Subject: Shipping Information
Sender: stoiciu_ro01@uhost.ro
X-Originating-IP: 195.78.124.42
Content:FedExTracking ID: 1795-21492944Date: Monday, 18 February 2013, 10:22 AMDear Client,Your parcel has arrived at February 20.Courier was unable to deliver the parcel to you at 20 February 06:33 PM.To receive your parcel, please, print this receipt and go to the nearest office.Print ReceiptBest Regards, The FedEx Team.FedEx 1995-2013
The 'Print Receipt' button points to a filesharing website, where a ZIP file gets downloaded. Inside the ZIP is an EXE file with a neat little Word icon. When running the file:
Postal Receipt information |
You get a Notepad file with some information. Is your name Mark Smith? No? Then you're infected. Is your name Mark Smith? Then you're infected anyway.
Does this behaviour look familiar? Well noticed, we've seen this in a post from some months ago:
Gathered files. Contact me for a copy. |
Some more details about the downloaded file:
Postal-Receipt.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report
The following file was dropped in the %appdata% folder:
ujfhmdlk.exe
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report
The malware tries to connect to the following IPs:
46.105.143.110
50.115.116.201
74.117.61.123
77.79.81.166
81.93.248.152
87.106.51.52
91.121.140.40
91.121.28.146
93.125.30.232
95.140.203.241
109.235.252.2
118.97.15.13
122.155.18.53
149.62.168.76
188.165.205.46
190.111.176.13
190.111.176
202.153.132.24
213.229.106.32
217.11.63.194
It performs the following GET request on port 8080, probably to download more malware.
(I was however unable to reproduce any additional droppers or system modifications): /509A37A363A4A88C8B6BBD234F063B9CEE4072C470F04B0AB239C05FF89DA4B98D1E54BF77C0CD96CD8BC4004B3459C13194D0F9E0D64CF108A635F7468E817F408A20EF7149233F1356D2B3565F49
Conclusion
- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
- Have you indeed ordered something? Check the status of it directly on the supplier's website.
- Don't be fooled by the Adobe or Word icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
Enable Viewing of Filename Extensions for Known File Types - Install an antivirus and antimalware product and keep it up-to-date & running. In this case, the payload is at least 4 months old! This should be easily detected by your antivirus product.