UPS Tracking Number # Virus warning!
Update: Upon our submission of this threat to Microsoft, they have confirmed that this threat is classified as the new variant of TrojanDownloader:Win32/Bredolab.AC. (check the rest of the article for more information)
I’ve received several suspicious e-mails in the last couple of days, so I’ve decided to check the contents of the attached .zip file and without a surprise, there was an .exe file in it.
What is not good, is the fact that neither Microsoft Security Essentials antivirus nor Eset Nod32 wasn’t able to detect it once I’ve scanned the file.
At least Microsoft Outlook mail scanner marked this mail as spam. So I wasn’t entirely unprotected 🙂
The bogus message subject is something like this:
Subject: UPS Tracking Number 8279775.
Sender: UPS Manager Ramona Mock (parcel@ups.com)
Here’s the subject of the mail:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
Thank you.
United Parcel Service.
The attachment actually contains a virus which may infect the user’s computer.
When I googled for more information on this virus, I’ve found out that similar virus was released almost 2 years ago, so apparently this is a new variant of it, as AV scanners were unsuccessful in detecting the threat. So far I’ve tried to detect the threat using ‘only’ Microsoft Security Essentials and Nod32 antivirus.
Here is the warning about UPS virus which was released about 18 months ago.
The newest virus circulating is the UPS/Fed Ex Delivery Failure. You will receive an email from UPS/Fed Ex Service along with a packet number.. It will say that they were unable to deliver a package sent to you on such-and-such a date. It then asks you to print out the invoice copy attached. DON’T TRY TO PRINT THIS. IT LAUNCHES THE VIRUS! Pass this warning on to all your PC operators at work and home. This virus has caused Millions of dollars in damage in the past few days.
I can’t be sure of what damage it can cause to your computer, but I guess it is variant of UPS trojan virus and I can only advise you upon receiving similar mail, to immediately delete it.
Update: I have submitted suspicious file to the Microsoft Malware Protection Center (MMPC). I will update this article, as soon as I get more info on this.
Update #2: I received a reply from Microsoft and they confirmed this threat this threat is classified as TrojanDownloader:Win32/Bredolab.AC. A downloader trojan accesses remote websites in an attempt to download and install malicious or potentially unwanted software.
According to Microsoft, this Trojan variant was discovered on Dec16, 2009, but this appears to be a new variant which is the reason why it wasn’t discovered by Anti-Virus scanners.
Important NOTE: Upon my submission of this threat to Microsoft, they have updated virus definitions as seen below:
Detection last updated:
Definition: 1.71.2267.0
Released: Jan 15, 2010
BUT, have in mind that if you’re using Microsoft Security Essentials, virus definitions might not be updated automatically. I adivise you to open the Microsoft Security Essentials, select the ‘update’ tab and click on the ‘Update’ button. You will now be protected.
Here is the screenshot of successful detection of this new threat
Anyway, let’s get on what this Trojan actually does on your PC.
System changes
The following system changes may indicate the presence of this malware:
The presence of the following files:
<system folder>\digeste.dll
<system folder>\digiwet.dll
<system folder>\mcenspc.dll
<system folder>\msansspc.dll
%startup%\asgupd32.exe
%startup%\dfqupd32.exe
%startup%\dmaupd32.exe
%startup%\fmnupd32.exe
%startup%\ihaupd32.exe
%startup%\imiupd32.exe
%startup%\legupd32.exe
%startup%\ppqupd32.exe
%startup%\rqjupd32.exe
%startup%\ikowin32.exe
%startup%\wbhwin32.exe
%startup%\hcgwin32.exe
%startup%\fqosys32.exe
%startup%\lecsys32.exe
%startup%\necsys32.exe
%startup%\rncsys32.exe
%startup%\ysfsys32.exe
%startup%\zqosys32.exe
<system folder>\wbem\grpconv.exe
%appdata%\wiaserva.log
The presence of the following registry modifications:
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Sets value: “SecurityProviders”
With data: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll”
Technical Information (Analysis)
Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host.
Installation
Win32/Bredolab has changed its method of installation over time. When older variants of Win32/Bredolab are executed, they copy themselves to one of the following locations, converting their EXE to a DLL:
<system folder>\digeste.dll
<system folder>\digiwet.dll
<system folder>\mcenspc.dll
<system folder>\msansspc.dll
The registry is then modified to ensure that the DLL is loaded. For example:
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Sets value: “SecurityProviders”
With data: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll”
More recent variants of Win32/Bredolab copy themselves to the %startup% folder using one of the following variable filenames:
asgupd32.exe
dfqupd32.exe
dmaupd32.exe
fmnupd32.exe
ihaupd32.exe
imiupd32.exe
legupd32.exe
ppqupd32.exe
rqjupd32.exe
ikowin32.exe
wbhwin32.exe
hcgwin32.exe
fqosys32.exe
lecsys32.exe
necsys32.exe
rncsys32.exe
ysfsys32.exe
zqosys32.exe
Or they may use the following location:
<system folder>\wbem\grpconv.exe
Payload
Downloads and executes arbitrary files
Win32/Bredolab contacts a remote host, and receives a response from the master server that contains at least one encrypted binary. Downloaded binaries are decrypted and executed.
Win32/Bredolab may use a randomly named file name for downloaded binaries on the local machine. Binaries may be saved to the following location:
%windir%\Temp\wpv[numbers].exe
In the wild, Win32/Bredolab has been observed to contact the following control servers:
58.65.235.41
78.109.29.116
78.109.29.112
91.207.61.12
213.155.4.82
dollarpoint.ru
imoviemax.ru
mudstrang.ru
vanni-van.cn
gssmedia.cn
www.qoeirq.com
The following list details just a small selection of the malware known to be downloaded by variants of Win32/Bredolab:
Win32/Ambler
Win32/Boaxxe
Win32/Busky
Win32/Cbeplay
Win32/Cutwail
Win32/Daurso
Win32/FakeRean
Win32/FakeSpypro
Win32/Haxdoor
Win32/Hiloti
Win32/Insnot
Win32/Koobface
Win32/Momibot
Win32/Oderoor
Win32/Oficla
Win32/Otlard
Win32/Rlsloup
Win32/Rustock
Win32/Sinowal
Win32/Tedroo
Win32/Ursnif
Win32/Vundo
Win32/Waledac
Win32/Wantvi
Win32/Winwebsec
Win32/Wopla
Win32/Zbot
Additional Information
Some variants of Win32/Bredolab may create the following file during execution:
%appdata%\wiaserva.log
You can also get more information on Microsoft Security Portal.
Today, I receive the same email…Watch out!!! virus
—————————————————
From: “UPS Manager Wilbur Fisher”
Attachment: UPS_invoice_NR34072.zip
Hello! The courier company was not able to deliver your parcel by your address.Cause: Error in shipping address. You may pickup the parcel at our post office personaly!Please attention!The shipping label is attached to this e-mail. Please print this label to get this package at our post office.Please do not reply to this e-mail, it is an unmonitored mailbox.Thank you.United Parcel Service.
Thanks for the info!
me too, ( january 15 2010 )
i was waiting an ups delivery, so i was less suspicious about it…
watch out everyone.
i will use my legendary virus removal guide, which have served me well a few times…
To anyone who wants to sucessfully remove virusses, i suggest you this link :
http://forums.majorgeeks.com/showthread.php?t=35407
Hi, I got the email and was silly enough to open it because I was curious, thank God for Avast Antivirus.
me too i got it today and was actually awaiting a very important ups delivery and open but thank god i had avast it warned me immediately, although Norton Antivirus that Yahoo! use claim that there is no virus in the attachment. Thank god i had avast!
watch out everybody!
Smart scam
Does anyone know the name of the virus? My wife double clicked on the attachment on her Win7 computer, and I don’t see anything wrong on the computer yet…
Hey Bob,
we have updated this article, so you can check now what this virus actually does.
Best of luck!
I also was waiting on a UPS parcel from someone with the same surname as was sending it to me!
I opened it. AVG couldnt clean it. It was obvious immediatly that I was infected as there was splash screens offering spyware removal and my browser was hijaked and directed to a ‘antivirus’ removal site.
I ran AVG with no effect. I updated AVG and ran it again. It found nothing.
I ran SpyBot wich found many virus infections (my system was previously clean) and I proceeded to remove them.
I rebooted.
Now I cannot start my pc again. I log in to my admin account and as soon as I can see the desktop before the desktop icons are set… the account logs out.
This happens on all accounts on the partition.
The other partition (that I am using now (xp pro)… apears to be unefected…thankfully.)
What can I do? anybody please help?
Hello Darren,
I plan to write tutorial soon on how to fix this, but check this until then.
First, when you’ll get the chance, uninstall AVG immediately. I’ve seen AVG reporting viruses on paths that don’t even exists. AVG is trash in my opinion.
When you remove it, please install Microsoft Security Essentials or NOD32 antivirus.
Start here and let me know if you’ll need additional help.
http://thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/
It could be that userinit.exe is completely missing or corrupt. The first thing I’d try is extracting userinit.exe from the XP CD. Here are instructions:
Boot on the XP CD and press ‘R’ to enter the recovery console. If prompted to, select your windows installation and enter the admin password (leave blank if none was set)
From the command prompt type — copy D:i386userinit.ex_ c:windowssystem32userinit.exe
D is the drive letter corresponding to the drive containing XP CD
This is free and will get rid of the problem. Its safe as it from Stopzilla and is suitable for the non-techie, dont do brain surgery approach.
http://www.stopzilla.com/products/stopzilla/infection.do?AID=10034&CID=Internet Security 2010&inf=INTERNET SECURITY 2010&f=11&t=r&d=122009&gclid=CPnG-OTiqJ8CFU0B4wodzBnv0g
I love you both! (in the most non sexual way possible of course) will try these sugestions now.
@ChrisW
That’s why I said that I will write a simple solution which would be more friendly for non-tech users.
I was expecting a UPS so unzipped this file after scanning it with Nortons Internet Security 2009. However, no file was visible which made me immediately suspicious and very worried. I immediately deleted the saved file. Shortly after Nortons recognised the unpacked but (not executed) file in the temp folder and called it Packed.Generic.265. Definition file 2010.02.008. It blocked the file. So I guess that means it cannot detect the malicious file when zipped??
I also checked the system for any of the files mentioned by Microsoft Security Essentials as shown in the above article – none were evident to my relief.
@Tara
You are safe then. Until today, I’ve received more than 20 variants of this ‘UPS’ mails.
ok so I messed up lol 😉 Yesterday I was using my friends computer to check my work email expecting a packiage from ups and yea it was the virus. We have done all his spywayre and stuff (im not a computer person at all I do not know what I am doing) anyways everything works except the internet. when you go to log onto int. explorer it kicks him off right away. Any ideas on how to get his computer fixed?
Thanks
Got a similar email yesterday, saying this:
UPS Tracking #6343839124
From: Your UPS (delores07@rossloans.com)
Sent: 26 May 2010 01:54:53
To: aidanconnor@hotmail.co.uk
Attachments: 1 attachment
UPS_LABEL…zip (29.4 KB)
Hello,
We were not able to deliver postal package you sent on the 19nd May in time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
Your personal manager: Alvaro Horn,
Customer Service: 1-800-CALL-UPS
Fax: 888-033-5812
Your UPS
What’s weird is that in the ‘To’ section this isn’t even my email address… it’s similar but it got my whole second name wrong, how in this world could I receive it when it wasn’t even sent to my address, any ideas? I knew I hadn’t sent a parcel but I was curious so I tried opening it but Mozilla Firefox detected that it was infected. Lucky eh?
That is probably just a spoofed address. Your real address should be seen in the mail header.
got a different one in the junk mail today but i can till that it’s the same idea:
UPS Tracking number N51848
Dear client
The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.
Thank you for your attention.
UPS Global Mail.
3,741 5,425 6,191 4,076,680 Alturas Mono Sp., Monkey, or pretty 3,020 960 2,042 1,151,109 Bridgeport Monterey Sp. , Kings forest 3,340 27,980 24,146 18,962,554 Salinas Napa Ind. 780 20,678 19,800 13,840,291 Napa Nevada Sp. , Heavy fall of snow 972 10,850 14,955 7,203,349 Nevada City Orange (named for its chief product) 750 61,375 34,436 13,812 Santa Ana Placer Sp. , Loose (from placer mines) 1,365 18,584 18,237 9,677,724 Auburn Plumas Sp. , Feathers 2,694 5,681 5,259 2,792,091 Quincy Riverside 7,323 50,297 34,696 16,373,296 Riverside Sacramento Sp. , The Sacrament 1,000 90,978 67,806 41,333,337 Sacramento San Benito Sp. , St. Benedict 1,388 8,995 8,041 6,499,068 Hollister San Bernardino Sp. , St. Bernard 19,947 73,401 56,706 21,392,228 San Bernardino San Diego Sp. , St. James 4,278 112,248 61,665 20,807,594 San Diego San Francisco Sp. , St.
Got the exact same email yesterday (10/22/10) just had different text, and unfortunately opened it.
I can’t tell that anything is wrong with my competer yet. I am no computer wiz, just an avarage user. If anyone else got this new virus and can tell me anything, I would appreciate it.
Contact UPS by phone if you’re ever in doubt about the legitimacy of a UPS email prior to opening it – http://www.upsphonenumber.com/
Hi, I opened the attachment .zip, of an UPS mail, im an idiot! the thing is now I boot the pc in secure mode and the whole screen goes black, and a few seconds later a big blue screen appears with WARNING in red, and a text of warnings.
What can I do!??? HELP ME!!!!
fuck Morpheus, Bill Gates and Mark Zukerberg
Received this today. Guess is a same idea.
Dear customer,
The parcel was sent your home adress.
And it will arrive within 3 days.
More information and the tracking number are attached in document below.
UPS information center.