UPS email attachment virus

[DAustin]

I just received this it is from UPS Mail Support, subject is Your Tracking # 0540548533

the attachment is UPSInvoice8771.zip

The body reads

Sorry, we were not able to deliver postal package you sent on October the 19th in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 6$ per day.

Your UPS


Like an idiot I click on it without thinking. It put it in temo File and will not delete. Oh Joy!

The phishing bastards are charging me $36!!! I'm getting ripped off!!! I did not open zip files btw. *Almost* did, but not quite. Good luck restoring!

[237]

UPS: Your Tracking # 083985165619‏
From: <img id="P___717703412" webimdisplaystyle="inline" style="display: none;"> United Postal Service (mail@ups.com)
You may not know this sender.Sent: 17 December 2008 01:26:56 To: 1 attachment(s)
DOC651221...zip (42.6KB) (NOTE ATTACHMENTS DISABLED FOR SAFETY)


Sorry, we were not able to deliver postal package you sent on November the 1st in time
because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS
This is the message i had delivered to my email this morning. Firstly i do use courier services
often, however i very rarely use UPS. A number of things which alerted me that this was or could have
been a virus First the document zip is a big clue. When ever i receive an email
concerning a failed delivery a message will be sent to me but not through a zip file, so sorry boys
who ever made this you messed up there.2nd i got told that this would cost me 36$ per day
if i did not collect, well if this was my parcel all my details would be there and last they would
know i don't live in the USA so you messed up also.
3rd No contact name at the end of the email. Never fooled me

[Mary Smith]

THIS IS WHAT I RECEIVED BY E-MAIL TODAY:

From: ups02@post.ro
Subject: Attention,Attention,Attention
Date: February 15, 2009 4:52:33 PM PST
To: undisclosed-recipients: ;
Reply-To: ups01@post.ro

From: Daniel Jones
Dispatch Manager
United Parcel Service(UPS)
Phone:011-234-802-4417603

Customers Service Hours--Monday to Saturday:
Office Hours Monday to Saturday:

Attention,Attention,Attention

This is the United Parcel Service (UPS)mailing you
in respect of your ATM INTER SWITCH CARD that Mrs.
Monica Stewart brought to this company to be delivered to
you and before protocol commence we had a disput with the
(NICON)Insuarnce office about your insurance certificate but
all that was settled.

We are happy to inform you that your ATM INTER SWITCH
CARD that contains US$1,600,000,00 dollars' is among the 24
parcel's listed which is now in our office and also with your
name as the receiver despite that we lost your residential
address and we request that you re-send it to this office for
safe delivery of your card Without hesitation we advise
you to pay the delivery fee of US$80.00 via western union
to our cashier 2 below payment information for immediate
despatch of your parcel to your residentail address within 2days.
As the sender did not pay the US$80.00

Send the Delivery Fee through Western Union OR MoneyGram via this Payment
Information below

RECEIVERS NAME------ DUBEM ANDY
ADDRESS------------------24,AKOSA STR,SATELLITE TOWN
RECEIVERS COUNTRY----LAGOS /NIGERIA.
TEXT QUESTION------------WHAT BATCH.
TEXT ANSWER---------------.BATCH 1
AMOUNT TO BE PAID---------US$80.00

Send the payment information,the 10 Digit MTCN OR 8 Digit REFERENCE numbers
immediately

Yours In Service

Mr.Daniel Jones
Dispatch Manager
United Parcel Service(UPS)


No virus found in this outgoing message
Checked by PC Tools AntiVirus (4.0.0.20 - 10.054.001).
PC Tools AntiVirus - Free Anti Virus Download and Removal

[di52]

Attachment: Your_UPS_feea.zip(51.3KB)

Hello!

Unfortunately we were not able to deliver your postal package sent on the 21st of June in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.




--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG - AVG Antivirus and Security Software - Real-time protection against viruses, spyware and malicious websites
Version: 8.5.421 / Virus Database: 270.14.5/2419 - Release Date: 10/07/09 05:18:00

[SiliconJon]

I saw a DHL one earlier this week, also.

[keh728]

As you read the message it becomes clear it is not UPS - mine had a Zip file attached to it.
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox.



Thank you.
United Parcel Service of America.

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

[xx-jak-xx]

I recieved this email around 20 mins ago and decided to google it before opening it as - A. Ive not recently ordered anything and B. I never recieve or use UPS as a courier.

---------------------------------------------------------------------------------
MY EMAIL STATES
---------------------------------------------------------------------------------

From: "UPS Manager Merrill Estes" <tracking@ups.com>
Sent: Wed 13/01/10 16:06
To: <my email address>
Priority: Normal

Subject: UPS Tracking Number 1436424. Type: Attachments

Attachments: UPS_invoice_NR67974.zip 26.8 kb

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox.



Thank you.
United Parcel Service of America.

[zepper]

I've received the same a few times recently, but I just dumped them in the trash. This has been around for at least two years (check the date of the first post of this thread). I guess I was lucky in that I never had any UPS shipped item on the way when I received them, but I hope I wouldn't have been stupid enough to open any attachment without checking it out with a web search or an inquiry to the "assumed" sender. Most legit companies won't send any email with an attachment as a first contact.

.bh.

[laserlady]

My partner opened this UPS Email and attachment today, because he is expecting a delivery. Now we can't turn on our computer at all. It boots up, then we see the desktop for a fraction of a second, then it immediately shuts down again and invites us to put the password in again. Is it possible that the virus has changed our password?
How can we get rid of it if we can't get into the computer. Does this mean the computer is no good now?

[willisgates]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

Here is the actual email:

UPS Tracking Number 5423524.
Tuesday, January 12, 2010 7:11 PM
From: "UPS Manager Gerry Tapia" <tracking.support@ups.com>
To: "Deleted to protect the innocent"

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox.



Thank you.
United Parcel Service of America.

[eswan]

I have gotten 3 or 4 of theses..
______


Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox.



Thank you.
United Parcel Service of America.


UPS tracking number 9609631


If you get me an e-mail I can fwd the e-mail to you.
thanks,
~E millenuimman3000@yahoo.com

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

[Smleyhou12]

Hi! I accidentally (stupidly) downloaded this virus. Trend Micro Security was unable to detect the virus after the initial infestation. I used OneCare to scan and attempt to fix my computer - it could detect the multiple Trojans but it was unable to fix them. Restarted my computer and now my wireless Internet, AV software and other components have been disabled. I am unable to do a system restore. What can I do? I'm in safe mode at the moment...

[Smleyhou12]

Hi! I accidentally (stupidly) downloaded this virus. Trend Micro Security was unable to detect the virus after the initial infestation. I used OneCare to scan and attempt to fix my computer - it could detect the multiple Trojans but it was unable to fix them. Restarted my computer and now my wireless Internet, AV software and other components have been disabled. I am unable to do a system restore. What can I do? I'm in safe mode at the moment...

[stroyal]

You can try reinstalling the programs in question, but you might have to do a complete reinstall of the operating system.

Backup everything first, if you haven't already.

[brobinsondk]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

UPS Tracking Number 6864513.‏
Dear customer! The courier company was not able to deliver your parcel by your address.Cause: Error in shipping address. You may pickup the parcel at our post office personaly! Please attention!The shipping label is attached to this e-mail. Please print this label to get this package at our post office. Please do not reply to this e-mail, it is an unmonitored mailbox. Thank you.United Parcel Service of America.

[SiliconJon]

I have yet to find a consistent and effective way to clean most of today's virus infections. Keep the data seperate from the OS so you can wipe 'er clean if she gets infected by something particularly mean as the vast amount of virus programs out there fail me when it comes to real infections these days. Spending hours trying only to fail, when a clean install is guaranteed to work (well, almost) and work well.

[stroyal]

I agree, My favorite cure for the nasty viruses is, Format C:

I always have an up to date backup though.

[bgrorud]

I have yet to find a consistent and effective way to clean most of today's virus infections. Keep the data seperate from the OS so you can wipe 'er clean if she gets infected by something particularly mean as the vast amount of virus programs out there fail me when it comes to real infections these days. Spending hours trying only to fail, when a clean install is guaranteed to work (well, almost) and work well.

It is frustrating that more technicians are not able to remove these viruses and instead resort to brute force fixes such as a reformat. I make sure my technicians are trained completely in spyware removal. As long as you know how to identify the load points, and utilize techniques such as using a PE environment like Ultimate Boot CD or Barts PE, or pull the drive and hook it up to another computer, load the registry hive and search the load points, search the drive for recently modified files, and/or the files referenced in those load points, etc, you can remove the viruses and 98% of the time restore the computer to working ocndition.

In case it helps anyone, here is the majority of the load points that I have found, if you know of more, feel free to post-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (compare to clean machine)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA (Check authentication packages and notification packages, compare to clean)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Se ssion Manager - BootExecute Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Safeboot\minimal (& network - what is started in safe mode)
lHKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell \open\command (default should ="%1" %*)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows (AppInit_dll)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (userinit, shell=, and notify)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 (Aux, or Aux2, check the file)
lHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ShellServiceObjectDelayLoad (search the {})
lHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\ShellExecuteHooks (search the {})
lHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\SharedTaskScheduler (search the {})
lHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Explorer\BrowserHelperObjects (search the {})
lHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run
lHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\RunOnce
lHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
lHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
C:\DOCUMENTS AND SETTINGS\%USERNAME%\START MENU\PROGRAMS\STARTUP
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP
CHECK THE SCHEDULED TASKS FOLDER!!!!
Delete Contents - C:\DOCUMENTS AND SETTINGS\%USERNAME%\LOCAL SETTINGS\TEMP

Delete Contents - C:\WINDOWS\TEMP
Delete all Temporary Internet Files

Search hard drive for recently modified files, pay special attention to the following folders-
C:\WINDOWS
C:\WINDOWS\SYSTEM32
C:\WINDOWS\SYSTEM32\DRIVERS
C:\PROGRAM FILES
C:\PROGRAM FILES\COMMON FILES
C:\DOCUMENTS AND SETTINGS\%USERNAME%\APPLICATION DATA
C:\DOCUMENTS AND SETTINGS\%USERNAME%\LOCAL SETTINGS\APPLICATION DATA

Check suspicious files via an online multi-scanner such as www.virustotal.com

CHECK ALL NON-MICROSOFT SERVICES

If the virus did not disable and delete System Restore Points, you can go back to a backup registry by renaming the files from the restore point and copying them into C:\WINDOWS\SYSTEM32\CONFIG
The Reg files are in C:\SYSTEM VOLUME INFORMATION\_RESTORE{...}\RP###\SNAPSHOT
(always take all 4 files, SYSTEM, SAM, SECURITY, SOFTWARE)

I am probably forgetting a few, let me know if you know of any I missed.

-Brad

[SiliconJon]

I have done boot scans with a plethora of options to no avail on some machines. Manually updating the ISO's to contain the latest defs. Plenty come right back. Though it has been a little while since I had such a machine on my desk. What I tried on 6 or so machines: Avast's Bart CD, Kaspersky Rescue Disk, UBCD (F-Prot & McAfee), custom Knoppix, Avira Rescue System...and a couple I don't recall the names provided by coworkers.

But I'll take all the tips on working for a truly powerful removal technique. And the next several times I try, if I fail I'll still advise others to do a clean install for faster and cleaner results.

[SiliconJon]

I should say, though, I work on production machines & workstations. Time on these machines equates to more money than the average home user, and in fact home users tend to equate their machine's previous state more valuable whereas work machines keep their valuable data externally stored or replicated and place greater value on uptime.

Before I get too technical all I mean to say is for home users reading this you may be happier paying a tech to pull your important data off your machine and then performing the restoration measure deemed appropriate by the tech prior to leaping with online advised measures of self-resolution.