UPS email attachment virus

[SiliconJon]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

Malicious Software & Spam emails (removal procedures) - Bicester Computers Support Forum - Complete IT Services in Oxfordshire.
The simplest way of removing ups and dhl virus-email
Solution updated yesterday.

[camartino]

Just an FYI this morning I had to call UPS about delivery of a package. The customer service agent was sure to let me know to be on the alert for any UPS emails received that contain attachements. Apparently, there is an UPS email circulating that appears to contain a shipping exception but asks you to open an attachment to see what the exception is. The attachment, when open, contains a virus.

[housten]

I got this email today, it said;

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

It contained a file called UPS_INVOICE_978172.zip (which is an archive containing an exe file --> the virus).

The spoofed email addressed used was gujmodmbmwax@branchoffice.com.au

[housten]

I got this email today, it said;

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

It contained a file called UPS_INVOICE_978172.zip (which is an archive containing an exe file --> the virus).

The spoofed email addressed used was gujmodmbmwax@branchoffice.com.au

[SiliconJon]

Thank you - I was looking for some of the text that is in the email to assist in filtering the message from entering our email system should one try.

[ianb281]

I too have received this e-mail but was not bright enough to recognise it for what it was. As I just happen to be overdue a package from UPS I jumped straight in and opened the attachment. I phoned UPS who have an automated message warning about the e-mail and attaching virus but they gave no more detail. All I can tell you is that the e-mail I received used the following:-

Subject: UPS Tracking Number 0595577501
Attachments: UPS_INVOICE_978171.zip
Sent from United Parcel Services (dsrtyyksygw@bobdillonwindsorchairs.com)

The following website appears to have a copy of the attachment but I dare not open it again so I do not know what it actual does:-
This Was In My Email - BitDefender Forum

I have run and rerun my Norton 360 antivirus which detects and quarantines some Tracking Cookies but I am none the wiser as to the effects and whether my laptop is infected. To date I have not noticed any ill-effects. If you have any further information an update would be much appreciated.

Does anyone know what the virus actually does?

[SiliconJon]

This Post states the cleanup to be easy, though I have not experienced an infection nor come across any AV vendor or security sites (whose analysis is needed) that confirm removal to be as simple.

**Note**Right click my computer and go to properties,click system restore tab and turn it off,otherwise you're saving your virus!

1:delete the email from the sent items,inbox,outbox and deleted items in Outlook.

2:delete every file (not folders) from your "c:/documents and settings/yourusername/localsettings/temp... folder (I suggest using spybots file shredder with a 5 pass overwrite)

3:reboot and rerun a few cleanup scans with your antispy/malware and then with your antivirus and you should be good to go.

Simple as that!

You will want to delete any restore points created since the arrival of the infected email.

[shauna31]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

This is what I just received, I thought it was a bit suss and glad I did a bit of research before opening the attachment.

Return-Path: <jjvv@blem.com>
Received: from nskntingx05p.mx.bigpond.com ([216.212.61.154])
by nskntmtas05p.mx.bigpond.com with ESMTP
id <20080722130507.UARA16527.nskntmtas05p.mx.bigpond. com@nskntingx05p.mx.bigpond.com>;
Tue, 22 Jul 2008 13:05:07 +0000
Received: from host61-154.birch.net ([216.212.61.154])
by nskntingx05p.mx.bigpond.com with ESMTP
id <20080722130504.TXCI2223.nskntingx05p.mx.bigpond.c om@host61-154.birch.net>;
Tue, 22 Jul 2008 13:05:04 +0000
Received: from [216.212.61.154] by vmx0.viatel.net; Tue, 22 Jul 2008 07:05:04 -0600
Message-ID: <01c8ebc9$43e39000$9a3dd4d8@jjvv>
From: "United Parcel Service" <jjvv@blem.com>
To: <shantidwyer@bigpond.com>
Subject: UPS Tracking Number 3897844287
Date: Tue, 22 Jul 2008 07:05:04 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C8EBC9.43E39000"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2106.4
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
X-RPD-ScanID: Class bulk; VirusThreatLevel high, RefID str=0001.0A150202.488542CC.0004,ss=3,sh,vtr=0001.0 A150204.488518F4.0081,vl=2,vh,fgs=0
X-Antivirus: AVG for E-mail 8.0.138 [270.5.3/1565]


This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C8EBC9.43E39000
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS


No virus found in this incoming message.
Checked by AVG - AVG Anti-Virus and Internet Security - Real-time protection against viruses, spyware and malicious websites
Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date: 7/21/2008 6:36 PM


------=_NextPart_000_0006_01C8EBC9.43E39000
Content-Type: application/zip;
name="UPS_INVOICE_978172.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="UPS_INVOICE_978172.zip"

[Broomhilda99]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

Here's a copy and paste from the email:
-----Original Message-----
From: United Parcel Service [mailto:ter@tequa.com]
Sent: Monday, July 21, 2008 5:58 PM
To:
Subject: UPS Tracking Number 3414109644

Viruses found in the attached files.
The file UPS_INVOICE_978172.zip: Trojan horse SHeur.BXZJ. The attachment was moved to the virus vault.

The original message follows:
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

[owlcastle]

I have today received this e-mail from 'UPS':

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

The attachment is a zip file which made me immediately suspicious adding to the strange e-mail sender's address (tennisqueen5dd@pokigo.net)

Hope this helps!

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

[Tim UK]

There are different tracking numbers quoted in the message subject line. Mine says "UPS Tracking Number 9686554756". The invoice number in the attachment seems to be constant though.

[jimcripps]

We got this too:

Subject line: [RE] UPS Tracking Number 7337122362

Body:
Unfortunately we were not able to deliver postal package you sent on July
the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our
office

Your UPS

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.526 / Virus Database: 270.5.5/1568 - Release Date: 7/23/2008
6:55 AM

Sender: rqwyhiygwxd@bmwpartstore.com

Attachment: UPS_INVOICE_187271.zip

Good ol' AVG Free! (Being snide)

Fortunately, we don't ship anything UPS, so this immediately caught our eye; not to mention the recipient does not exist--we receive everything to our domain.

[ChristieG]

Attention Virus Warning

There's an email going around claiming to be from UPS that is not. It claims a package delivery failure and asks the recipient to open the attached waybill, which is the actual viral payload.

Does anyone have any exact details of this email's current structure? I've found one person who said the subject was "UPS Tracking Number ....." - If anyone has any more details regarding this email I would appreciate it.

I just got this today. Luckily my antivirus removed it right away. It was a UPS tracking number, but the number was quite a bit shorter than an actual UPS tracking number. It had no UPS logos or anything. It just said that I had shipped a package on July 1st, and it had an incorrect address and to open the attachment to print the invoice to take to the UPS store to pick up my package.

[ggmcbreen]

I just got it - do you want me to forward it to you? If so, please email me at gigi@charmingstation.com

[SiliconJon]

I just got it - do you want me to forward it to you? If so, please email me at gigi@charmingstation.com

No, but thanks! I'm not looking to analyze the payload, only aid in preventing its detection and/or prevention. Somebody will probably want to check it out, though.

[bgrorud]

I had a client who opened this attachment today, within 10 minutes it had downloaded and installed multiple pieces of spyware, one of them being a fake windows security center warning.

The spyware infects startup items, AppInit_dlls (registry), userinit= (registry), and added a winlogon value (called 'crypt.dll' in my instance). I was able to remove the winlogon file with the utility 'moveonboot', google it or search for it on download.com, seems to work pretty good.

Hope this helps.

-Brad Grorud

[biffo_pea]

Received this virus on a work computer unfortunately as a lady in admin opened the attachment.
the virus is a malware trojan braviax.exe which upon removal reappears as buritos.exe.
Can be removed from the registry files Cm2 consulting have good instructions CM2 Consulting however I am not confident when deleting registry entries, Norton wouldn't pick up the trojan just detected it as PERFCOO , I then found AVG wouldn't install onto the machine so used SDFix and combofix from the myantispyware.com website. Following these instructions left me with buritos.exe trojan. AVG would then install and quickly cleaned up all the crap that was downloaded and looking at the full list of processes running it seems to have removed all trace of the trojan.

Hope this helps someone

Nick Pearson, UK

[backslahsio]

I downloaded the zip file, opened it but as soon as I noticed it was an exe file I quickly deleted it (so I didn't extract it or anything like that, Winzip was only showing me what the file was). Is my computer infected? I haven't noticed anything unusual (thus far)

edit: Oh yeah, the email was from teeq@abi.qc.ca

"invoice_8712.zip (49KB)"
UPS Tracking Number 8142018720

[Jared Clarkson]

Gmail has informed me the attachment is unsafe - could be viral, malware or spyware, I'm not downloading to find out.

from United Parcel Service <oeeh@bodygraphics.com.au>
to ***********
date Jul 23, 2008 9:52 PM
subject UPS Tracking Number 4499228271

Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS



attachment
invoice_8712.zip

[Just Helping]

By mistake, one of my employees opened the email that is the subject of this thread. It was bad news! His computer is now not operable. We cannot open Outlook, or any web browser, or any programs. We have our techies working on it.

It is BAD NEWS! The email was quite clever-- I had received several of these emails (without opening it fortunately) but I had to look closely to recognize that it was not UPS.

DO NOT OPEN THE FAKE UPS EMAILS!