UPS parcel notification - Malware AND Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Fake UPS Parcel Notification phishing malware email claims you have a pending parcel at a storehouse.

Attached zip has virus AND link goes to malicious websites.

Spoofs gmail.com


Subject: UPS parcel notification

[UPS logo] We love logistics

UPS parcel notification

Dear client

You have an pending parcel at our storehouse.
Please print the receipt from attachment or download it from here and show it at our office.

Warning: We will send the parcel back to the sender if you will not receive it within 20 days.

This is an automatically generated email, please do not reply.

Copyright © 1994-2013 United Parcel Service of America, Inc. All rights reserved.

receipt 883A38.zip (300)

Picture of fake UPS parcel notification email with virus AND malware link.


Header samples:

Spoofs gmail (as in, the emails don't actually come from gmail accounts. Tries to use UPS friendly name.

Received: from 75-148-201-4-Houston.hfc.comcastbusiness.net [75.148.201.4]
X-Envelope-From: romancestn @gmail.com
From: "UPS Inc." <romancestn @gmail.com>
Subject: UPS parcel notification

Received: from [175.101.13.13]
X-Envelope-From: snowmann53 @gmail.com
From: "Bobby Maynard" <middletonxc7 @gmail.com>
Subject: UPS parcel notification

Received: from [190.40.233.10]
X-Envelope-From: scarabsmp3159 @gmail.com
From: "UPS Inc." <scarabsmp3159 @gmail.com>
Subject: UPS parcel notification

Received: from 178.90.80.118.megaline.telecom.kz [178.90.80.118]
X-Envelope-From: adjudicatingmlr59 @gmail.com
From: "UPS Inc." <adjudicatingmlr59 @gmail.com>
Subject: UPS parcel notification

Received: from 74-118-114-28.fourway.net [74.118.114.28]
X-Envelope-From: skinheadyhdr5039 @gmail.com
From: "UPS Inc." <skinheadyhdr5039 @gmail.com>
Subject: UPS parcel notification

Received: from [190.232.254.181]
X-Envelope-From: milligramsqhk287 @gmail.com
From: "UPS Inc." <milligramsqhk287 @gmail.com>
Subject: UPS parcel notification

Received: from [190.232.254.181]
X-Envelope-From: milligramsqhk287 @gmail.com
From: "UPS Inc." <milligramsqhk287 @gmail.com>
Subject: UPS parcel notification

Received: from [89.136.121.32]
X-Envelope-From: sinkiang24 @gmail.com
From: "UPS Inc." <sinkiang24 @gmail.com>
Subject: UPS parcel notification

Attachment Examples:

receipt 883A38.zip containing receipt 883A38.exe

virustotal analysis: here

Kaspersky 		Trojan-Spy.Win32.Zbot.ocxr 
Sophos Troj/Agent-ADBW
McAfee PWSZbot-FBX!6C9CF9AB6FB2
Malwarebytes Trojan.Email.FW

malwr.com analysis: here

Starts a server listening on 0.0.0.0:2368
Performs some HTTP requests
Operates on local firewall's policies and settings
Installs itself for autorun at Windows startup

This email ALSO has malicious links! Examples:

Links go to sites like:

uoa.com.pk /bnug0.html
tranhgaorang.com /wk86w2.html
allianceassociates.co.in /2sptz6u.html

which each load 3 or so javascript files that have .txt endings sometimes:

nutnet.ir /dl/nnnew.txt
www.emotiontag.net /cp/nnnew.txt
aurummulier.pl /nnnew.txt

which redirect to another site. This site detects the user-agent and if Internet Explorer: produces a page that runs some obfuscated javascript and tried to run a Java applet of some kind. This is where the malware will be. Some site like:

gottagirl.net /topic/sessions-folk-binds.php

 

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity