Tuesday, February 26, 2013

FedEx spam loads malware

Received an email from (supposedly) FedEx today, seems my parcel was unable to be delivered:

Print your receipt!

    Mail details:
Subject: Shipping Information‏

Sender: stoiciu_ro01@uhost.ro

Tracking ID: 1795-21492944
Date: Monday, 18 February 2013, 10:22 AM
Dear Client,
Your parcel has arrived at February 20.Courier was unable to deliver the parcel to you at 20 February 06:33 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
Print Receipt  
Best Regards, The FedEx Team.
FedEx 1995-2013

The 'Print Receipt' button points to a filesharing website, where a ZIP file gets downloaded. Inside the ZIP is an EXE file with a neat little Word icon. When running the file:

Postal Receipt  information

You get a Notepad file with some information. Is your name Mark Smith? No? Then you're infected. Is your name Mark Smith? Then you're infected anyway. 

Does this behaviour look familiar? Well noticed, we've seen this in a post from some months ago:

Gathered files. Contact me for a copy.

Some more details about the downloaded file:
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report

The following file was dropped in the %appdata% folder:
MD5: d335b890e1bc260a259b994533333d02
VirusTotal Report
Anubis Report
ThreatExpert Report

The malware tries to connect to the following IPs:

It performs the following GET request on port 8080, probably to download more malware.  
(I was however unable to reproduce any additional droppers or system modifications): /509A37A363A4A88C8B6BBD234F063B9CEE4072C470F04B0AB239C05FF89DA4B98D1E54BF77C0CD96CD8BC4004B3459C13194D0F9E0D64CF108A635F7468E817F408A20EF7149233F1356D2B3565F49

  • Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
  • Have you indeed ordered something? Check the status of it directly on the supplier's website.
  • Don't be fooled by the Adobe or Word icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
    Enable Viewing of Filename Extensions for Known File Types
  • Install an antivirus and antimalware product and keep it up-to-date & running. In this case, the payload is at least 4 months old! This should be easily detected by your antivirus product.


  1. I've seen a lot of these come to my webmaster@ account. The malware seems to be hosted on compromised Joomla servers within the /components directory (in a "hidden" . directory)

    1. Happens quite a lot, not only with Joomla but also Wordpress and other popular CMS systems.

      Thanks for your comment!