UPS or USPS - Your package is available for pickup ( Parcel 1V512579 ) - virus scam

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Another from the series of UPS shipment virus emails. Some USPS versions.

The email claims The courier company was not able to deliver your parcel by your address because of an Error in shipping address.

The email often spoofs the payvesupport@ aexp.com and some_one@ fiserv.com. Nice touch to have a UPS notification come from American Express...

Other emails in the spoofed payvesupport@ aexp.com series:

Other emails in the spoofed fiserv.com series:

The payvesupport@ aexp.com spoofing became popular after the Payve Remit series virus emails. It looks like the botnet owners just stuck with that.


Subject: UPS - Your package is available for pickup ( Parcel 1V512579 )

Subject: UPS - Your package is available for pickup ( Parcel FNH4UY3K )

Subject:  USPS - Your package is available for pickup ( Parcel 487286520634 )

Subject: USPS - Missed package delivery

Subject: USPS - Missed package delivery ID:06

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.
You may pickup the parcel at our post office.
Please attention! For mode details and shipping label please see the attached file. Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
UPS Logistics Services.
CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) th..... blah blah blah

Headers sample:

This email series has been re-used a lot. There series that spoof usps.com, usps.gov, ups.com, aexp.com, fiserv.com, hsbc.co.uk, nothing, quickbooks.com, and others in From headers, Envelope headers, and HELO.

Received: from 173-15-112-113-illinois.hfc.comcastbusiness.net [173.15.112.113]
   X-Envelope-From: PAYVESUPPORT@ AEXP.COM
From: Tommy_Jensen@ fiserv.com

Received: from bband-dyn215.178-40-40.t-com.sk [178.40.40.215]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 607735208507 )

Received: from aexp.com ([69.199.101.37]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 734767192405 )

Received: from LMontsouris-156-26-8-103.w80-14.abo.wanadoo.fr [80.14.55.103]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 759837494629 )

Received: from aexp.com ([217.71.48.14]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 990965008608 )

Received: from aexp.com ([92.60.134.246]
X-Envelope-From: fraud @aexp.com
From: "USPS Express Services" <service-notification @usps.gov>
Subject: USPS - Your package is available for pickup ( Parcel 098536717338 )

Received: from hsbc.co.uk ([37.114.194.46] X-Envelope-From: service @hsbc.co.uk From: "eFax Corporate" <message @inbound.efax.com>

Received: from 84-240-194-9.wimax-dynamic.almaty.aksoran.kz [84.240.194.9] X-Envelope-From: service @hsbc.co.uk From: "UPS Express Services" <service-notification @ups.com>

Received: from mo-p07-ob.rzone.de [81.169.146.190] X-Envelope-From: This email address is being protected from spambots. You need JavaScript enabled to view it. From: "USPS Express Services" <This email address is being protected from spambots. You need JavaScript enabled to view it. > Subject: USPS - Missed package delivery ID:06

Received: from [204.246.246.10] X-Envelope-From: ach.status @nacha.org From: "USPS Express Services" <service-notification @usps.com> Subject: USPS - Your package is available for pickup ( Parcel 910619847560 )

Received: from 63-235-18-178.dia.static.qwest.net [63.235.18.178] X-Envelope-From: invoice @quickbooks.com From: "UPS Quantum View" <auto-notify @ups.com> Subject: UPS - Your package is available for pickup ( Parcel 6I1O4NLF )

Some spoofed HELOs there too, hsbc.co.uk, and ups.com

Attachment, some examples:

March 2013

Label_8827712794.zip contains Label_8827712794.exe | VirusTotal report

June 2013

USPS_Label_209660835189.zip containing USPS_Label_06062013.exe | VirusTotal report | Malwr report

November 2013

Label_11052013.zip containing Label_11052013.exe | VirusTotal report | Malwr.com report

19 December 2013

Label_098536717338.zip containing Label_12192013.exe

VirusTotal report 

Kingsoft                 Win32.TrojDownloader.Agent.ab.(kcloud) 
Ikarus                     Win32.Outbreak
Kaspersky                 Trojan.Win32.Bublik.boog
Symantec                 Trojan.Dropper
F-Secure                 Trojan.Downloader.Agent.ABOJ
GData                     Trojan.Downloader.Agent.ABOJ
Malwarebytes             Trojan.Agent.RV
Emsisoft                 Trojan-Downloader.Win32.Agent (A)
TrendMicro-HouseCall     TROJ_GEN.F0D1H00LJ13
Sophos                     Troj/Agent-AFGV
Rising                     PE:Malware.FakePDF@CV!1.9E18
AVG                     Luhe.Fiha.A

Malwr.com report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:5160, 0.0.0.0:3530
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Contacts via tcp:
smokefreesource.com 206.190.147.142

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications.
207.71.13.114 UNITED STATES
68.174.34.89 UNITED STATES
75.87.87.199 UNITED STATES
84.59.129.23 GERMANY

These addresses were sent udp but never answered back
113.28.179.100 HONG KONG
188.56.106.10 TURKEY
189.234.118.158 MEXICO
213.203.175.12 ITALY
221.146.12.120 KOREA, REPUBLIC OF
65.97.129.62 UNITED STATES
68.38.161.147 UNITED STATES
72.54.241.201 UNITED STATES
75.141.227.93 UNITED STATES
85.108.176.32 TURKEY
86.120.215.141 ROMANIA
86.183.118.44 UNITED KINGDOM
92.22.58.81 UNITED KINGDOM

File-Analyzer.net report 

Networking:
DNS lookups - smokefreesource.com
Persistence and Installation Behavior:
Drops C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rupdater.exe
Data Obfuscation:
Binary may include packed or encrypted data
PE sections with suspicious entropy found
Anti Debugging
Hooking and other Techniques for Stealthness and Protection

Domains:
mtnoutfitters.com 206.217.194.252
smokefreesource.com 206.190.147.142

IPs:
195.186.1.121 Switzerland
206.217.194.252 United States
206.190.147.142 United States

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity