UPS email attachment virus

Just Helping · July 24th, 2008, 04:14 PM

By mistake, one of my employees opened the email that is the subject of this thread. It was bad news! His computer is now not operable. We cannot open Outlook, or any web browser, or any programs. We have our techies working on it.

It is BAD NEWS! The email was quite clever-- I had received several of these emails (without opening it fortunately) but I had to look closely to recognize that it was not UPS.

DO NOT OPEN THE FAKE UPS EMAILS!

Tygur · July 24th, 2008, 09:00 PM

I thought I'd describe my experience with this thing. It has a rootkit, which makes detection and removal difficult.

The files I quickly found were:
c:\windows\braviax.exe
c:\windows\buritos.exe
c:\windows\system32\buritos.exe
c:\windows\system32\crypts.dll
c:\windows\system32\ntos.exe
(i think that was all of them)

In addition, its rootkit kept adding cru629.dat to AppInit_DLLs, which I don't think I ever did find.

I used hijackthis (renamed to ht.exe because the rootkit blocked hijackthis.exe from running) to find them. I used my standard procedure of booting off a linux cd and deleting them when they don't have a chance to undo my actions. After discovering that I couldn't log back into the computer with ntos.exe gone (I hadn't cleaned it with hijackthis before removing it, since I thought that to be pointless), I replaced it with a copy of ping.exe, and then deleted that later after cleaning with hijackthis.

I also used Rootkit Hook Analyzer to discover that beep.sys was infected, so I (from linux again) overwrote it with a good copy from an uninfected computer. I also deleted the beep.sys copy I found in c:\windows\system32\dllcache.

In addition, one out of the four infected computers I saw had an additional driver file called Wel63.sys (in my case anyway) that was spamming itself out to other computers like mad. This was more difficult to find, because using normal tools, it just looks like svchost.exe (launched with no arguments) is doing it. I found it by looking at the drivers listed by Rootkit Hook Analyzer for anything suspicious.

After all that, I double-checked on each computer to make sure everything was really gone - a combination of monitoring network connections, checking the existence of the files, and making sure hijackthis is no longer blocked from running. By the way, it also blocked Mcafee and SuperAntiSpyware.

This is what I did, but my suggestion to anyone else is to find some easy directions someplace - maybe a recommended antivirus that actually works, or a tool that's easier to use.

EDIT: Oh yeah, and it also installed "XPSecurityCenter" on some of the computers too, which I removed. And it does also make some files in your temp directory, so you might want to clear that.

SiliconJon · July 24th, 2008, 10:34 PM

^ Fantastic notes, I hope I don't need them

laurentio · July 27th, 2008, 10:48 AM

An easier solution, remove UPS virus in just minutes:
Malicious Software - Bicester Computers Support
Good luck!

Nxala · July 27th, 2008, 05:18 PM

Someone's changed the date to make it more current, so there'll probably be a new run of it going round.

[NO-REPLY] UPS Tracking Number 8694489495

Unfortunately we were not able to deliver postal package you sent on July the 25 in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS
UPS Global Home

It now has an attachment called UPS_192011.rar, which I'm not about to touch, so I don't know what's in it.

j168 · August 7th, 2008, 06:14 AM

[This email is for informational purposes only. Do not reply to the
email address above.

A payment to Carrington Mortgage Services LLC in the amount of $8489.85
has been made from your Checking account

For further information about this transaction, please download attached invoice file (Password for ZIP archive: "invoice" ) password is invoice

If you did not authorize this payment to be made, please contact your
financial institution or card issuer immediately for further
instructions.

FKNC Privacy Statement: The information contained in this electronic
mail transmission is intended by Fort Knox National Company for the
use of the named individual or entity to which it is originally
directed and may contain information that is privileged or otherwise
confidential. It is not intended for transmission to, or receipt by
anyone other than the named addressee (or a person authorized to
deliver it to the named addressee). It should not be copied or
forwarded to any unauthorized persons. If you have received this
electronic mail transmission in error, please delete it from your
system without copying or forwarding it, and notify the sender of the
error by reply email or by calling Fort Knox National Company at
866-359-6602. Unauthorized use, dissemination, distribution, or
reproduction of this message is strictly prohibited and may be
unlawful.

above email I received with attachment of IN87129_717a.zip (IN87129_717a.exe)
once you click on the exe and run Braviax.exe created on windows\system32 folder and others
whole winxp was useless.

from
invoice virus victim.

beitzy · August 11th, 2008, 09:59 PM

Quote:

Originally Posted by SiliconJon

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

Hi, i received 2 emails of this kind which didn't go into my junk folder. its reads as follows:Unfortunately we were not able to deliver postal package you sent on July the 25 in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your UPS

They both came with attachments in zip files. one called WW_671282 and the other WWW_99120.

I scanned with norton internet security (i have heard norton isnt as good as some but it came with the computer) both scans found three files but no spyware.
As for the details of the emails structure i can give them to you as i only got them before i posted this. Just let me know what details you need.

SiliconJon · August 12th, 2008, 11:52 AM

The primary details I was asking for were those that many have provided, and I'm still glad to receive updated notes on what the emails consists of. Such details that I am looking for are primarily the message title, body, and attachment name. Granted these will morph, they are useful in aiding in detection and prevention of such email penetration into our system. Any other details are most welcome as they can be useful for other purposes.

aelk5579 · August 13th, 2008, 09:42 AM

I just received a few emails from UPS with viruses. I even received one from US customs?? Its funny because my virus software didnt pick it up.

diamondlady · August 13th, 2008, 11:50 AM

I just received this email myself and knew better to open it when I saw a ".zip file" attached as the invoice.

People need to be aware that unless they know the person sending an email, DO NOT OPEN a ".zip" file or an ".exe" file, as both were attached to my phony UPS email and I honestly know that UPS is a very good company and will never ask you to verify information via email because without the proper information with the package, they will not take it.

Quote:

Originally Posted by SiliconJon

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.