UPS email attachment virus

[SiliconJon]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

[camartino]

Just an FYI this morning I had to call UPS about delivery of a package. The customer service agent was sure to let me know to be on the alert for any UPS emails received that contain attachements. Apparently, there is an UPS email circulating that appears to contain a shipping exception but asks you to open an attachment to see what the exception is. The attachment, when open, contains a virus.

[housten]

I got this email today, it said;

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

It contained a file called UPS_INVOICE_978172.zip (which is an archive containing an exe file --> the virus).

The spoofed email addressed used was gujmodmbmwax@branchoffice.com.au

[housten]

I got this email today, it said;

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

It contained a file called UPS_INVOICE_978172.zip (which is an archive containing an exe file --> the virus).

The spoofed email addressed used was gujmodmbmwax@branchoffice.com.au

[SiliconJon]

Thank you - I was looking for some of the text that is in the email to assist in filtering the message from entering our email system should one try.

[ianb281]

I too have received this e-mail but was not bright enough to recognise it for what it was. As I just happen to be overdue a package from UPS I jumped straight in and opened the attachment. I phoned UPS who have an automated message warning about the e-mail and attaching virus but they gave no more detail. All I can tell you is that the e-mail I received used the following:-

Subject: UPS Tracking Number 0595577501
Attachments: UPS_INVOICE_978171.zip
Sent from United Parcel Services (dsrtyyksygw@bobdillonwindsorchairs.com)

The following website appears to have a copy of the attachment but I dare not open it again so I do not know what it actual does:-
This Was In My Email - BitDefender Forum

I have run and rerun my Norton 360 antivirus which detects and quarantines some Tracking Cookies but I am none the wiser as to the effects and whether my laptop is infected. To date I have not noticed any ill-effects. If you have any further information an update would be much appreciated.

Does anyone know what the virus actually does?

[SiliconJon]

This Post states the cleanup to be easy, though I have not experienced an infection nor come across any AV vendor or security sites (whose analysis is needed) that confirm removal to be as simple.

Quote:

**Note**Right click my computer and go to properties,click system restore tab and turn it off,otherwise you're saving your virus!

1:delete the email from the sent items,inbox,outbox and deleted items in Outlook.

2:delete every file (not folders) from your "c:/documents and settings/yourusername/localsettings/temp... folder (I suggest using spybots file shredder with a 5 pass overwrite)

3:reboot and rerun a few cleanup scans with your antispy/malware and then with your antivirus and you should be good to go.

Simple as that!

You will want to delete any restore points created since the arrival of the infected email.

[shauna31]

Quote:

Originally Posted by SiliconJon

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

This is what I just received, I thought it was a bit suss and glad I did a bit of research before opening the attachment.

Return-Path: <jjvv@blem.com>
Received: from nskntingx05p.mx.bigpond.com ([216.212.61.154])
by nskntmtas05p.mx.bigpond.com with ESMTP
id <20080722130507.UARA16527.nskntmtas05p.mx.bigpond. com@nskntingx05p.mx.bigpond.com>;
Tue, 22 Jul 2008 13:05:07 +0000
Received: from host61-154.birch.net ([216.212.61.154])
by nskntingx05p.mx.bigpond.com with ESMTP
id <20080722130504.TXCI2223.nskntingx05p.mx.bigpond.c om@host61-154.birch.net>;
Tue, 22 Jul 2008 13:05:04 +0000
Received: from [216.212.61.154] by vmx0.viatel.net; Tue, 22 Jul 2008 07:05:04 -0600
Message-ID: <01c8ebc9$43e39000$9a3dd4d8@jjvv>
From: "United Parcel Service" <jjvv@blem.com>
To: <shantidwyer@bigpond.com>
Subject: UPS Tracking Number 3897844287
Date: Tue, 22 Jul 2008 07:05:04 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C8EBC9.43E39000"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2106.4
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
X-RPD-ScanID: Class bulk; VirusThreatLevel high, RefID str=0001.0A150202.488542CC.0004,ss=3,sh,vtr=0001.0 A150204.488518F4.0081,vl=2,vh,fgs=0
X-Antivirus: AVG for E-mail 8.0.138 [270.5.3/1565]


This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C8EBC9.43E39000
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS


No virus found in this incoming message.
Checked by AVG - AVG Anti-Virus and Internet Security - Real-time protection against viruses, spyware and malicious websites
Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date: 7/21/2008 6:36 PM


------=_NextPart_000_0006_01C8EBC9.43E39000
Content-Type: application/zip;
name="UPS_INVOICE_978172.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="UPS_INVOICE_978172.zip"

[Broomhilda99]

Quote:

Originally Posted by SiliconJon

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

Here's a copy and paste from the email:
-----Original Message-----
From: United Parcel Service [mailto:ter@tequa.com]
Sent: Monday, July 21, 2008 5:58 PM
To:
Subject: UPS Tracking Number 3414109644

Viruses found in the attached files.
The file UPS_INVOICE_978172.zip: Trojan horse SHeur.BXZJ. The attachment was moved to the virus vault.

The original message follows:
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

[owlcastle]

I have today received this e-mail from 'UPS':

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The attachment is a zip file which made me immediately suspicious adding to the strange e-mail sender's address (tennisqueen5dd@pokigo.net)

Hope this helps!

Quote:

Originally Posted by SiliconJon

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.