MX Lab intercepts a new virus campaign regarding an undelivered package from a spoofed email address of United States Postal Service – USPS. In our case it was sent from Augustine Mcclain <Augustine _Mcclain@usps.com>. The subject is “Your Postal Package N6730622″ – the number will change randomly.
The set up is the same as the virus campaigns when spoofed email addresses from UPS, DHL, or FedEx where used.
The body of the email:
Good day,
Unfortunately, we could not deliver postal package sent 01 April,
As the recipient’s address does not exist.
Please, print out the bill of lading that is in the attached document, and collect your parcel in our office at the address indicated in the bill of lading.
Best regards,
Augustine Mcclain
Attached to the message is the ZIP archive Postal_p_N2355224.zip and once extracted we have the 40 kB large file postal_p_N2355224.doc.exe.
The trojan is known as Trojan:Win32/Oficla.M (Microsoft) or trojan.Sasfis (Kaspersky).
The following files will be created:
%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
The registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid” is created.
The registry key “[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]” will be modified.
The trojan can establish a remote connection with the IP 174.120.228.122 and 193.105.174.108 on port 80 and retrieve data from:
* hxxp://www.brightspottech.com/loader_40.exe
* hxxp://hulejsoops.ru/images/bb.php?v=200&id=432227885&b=build001&tm=2
At the time of writing, only 4 of the 40 AV engines at Virus Total did detect the trojan so better be carefull at this time when you notice the message in your mailbox!
Virus Total permlink and MD5: e7316a1faeb6507f5684d76c189768ea.
Related articles: UPS Spam Mail
.
If you get any suspicious email, you can forward it to malware[at]computersecurityarticles.info for analysis, or you can upload it here.
Related Posts
- Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - Emails with subject “So now you’re on LinkedIn: What’s next?″ lead to malware
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “So now you’re on LinkedIn: What’s next?”. This campaign is a fol... - Emails with subject “LinkedIn Messages, 9/30/2010″ lead to malware
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “LinkedIn Messages, 9/30/2010″.
The email is send from the spoofed address &#... - New Oficla trojan in emails with subject “Your facebook password has been changed”
MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your facebook password has been changed″
The email is send from the spoofed address “You... - New Oficla trojan version in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email address and contai... - Oficla trojan in emails with subject “Scan from a Xerox WorkCentre Pro”
MX Lab intercepted some emails with the subject “Scan from a Xerox WorkCentre Pro N 6204257″ that contains the latest Oficla trojan variant. The emails are sent from a spoofed email addres... - Emails with the subject “UPS INVOICE NR9094991″ and “Delivery Problem NR2204780″ contains trojan
A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR... - Oficla trojan found in emails with subject “Please look my CV. Thank you.”
MX Lab started to intercept emails with the subject “Please look my CV. Thank you.” with the trojan Gen:Variant.Bredo.4 (Bitdefender, F-Secure), TrojanDropper:Win32/Oficla.G (Microsoft), T... - Sasfis trojan present in emails with subject Statement of fees 2009/2010
MX Lab intercepted messages with the subject “Statement of fees 2009/2010″ that contains the Sasfis trojan attached in a ZIP archive. The email is send from various spoofed email addresses... - Fake AV served up by phony NACHA emails
A little while ago, phishing mails claiming to be from NACHA were in circulation - it seems the phishers have had enough of that, deciding to send out malicious files instead.
The mail claims an att...
Posted on 04 May 2010. Tags: emails, manager@usps com, N***, Package, Postal, subject, USPS, usps email scam, usps phishing, usps spam, usps spam email
The above information is reprinted from and copyrighted © by MX Lab.
Will this trojan infect Mac machines??? Unfortunately I clicked on the attachment, which however did not result in me being able to view anything intelligible in the attachment.
Thanks
Just received an email from “manager@usps.com” telling me that my package couldn’t be delivered and to print the label. Glad I looked it up first.
I found this email (USPS w/ zip file attachment) in my spam folder this morning. Was certain it was fake (when I mail documents, the USPS doesnt get my email address; it didn’t have my name in it; and 100 other reasons it couldn’t be legit), haven’t opened it, and finding your posting lets me congratulate myself for a successful “a-ha! moment”. Thanks!
I opened the email attachment but my anti virus program caught it. Can it still be on my computer?
Hi
As per the explanation the authorities can find out the IP address of the sender. Then why there is no legal action against these spammers?
USPS Delivery Problem NR1060285
Tuesday, October 5, 2010 11:47 AM
That is the subject line of mine. The attachment was a read only file and Norton said it contained no virus. The text didn’t specify a post office, so how do I know which one? I didn’t send any package. The sender was “United States Postal”
I found this eMail too, and I was desperate ’cause i wanted to download the Zip file and Hotmail warned me about the virus, but actually I am waiting a package from USPS, so I was sure that it was a real mail. LOL. be carefull
USPS email? any answers to the above questions. My virus scanner did not detect a virus. I had mailed many items and had recently sent usps an email about an address update…so I opened the email. What actions should I take to remove it? How do I find out if it infected the computer? When I upzipped, nothing showed but a blank page….
Very concerned as this is not my computer!!!!
Variant:
Subject:UPS Invoice copy N5541699
From: United States Postal [manager@usps.com]
Hello!
The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.
Thank you.
UPS Global Mail.
Attachment: Tracking_information_NR6709.zip
###############################
Contained: ‘exe’ file with “Sasfis” trojan (according to NIS2011)
Don’t open (I didn’t)
Good afternoon!
The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.
Thank you for your attention.
UPS Global Mail.
I am actually waiting on something in the mail, but i don’t know how it could have gotten my e-mail, so I looked it upfirst and I’m glad I did.
I’ve had 3 of these e.mails in the last 2 days, i replied asking for parcel tracking number and it came back “failure notice”, i didn’t click on the attachment.I am actually waiting for a package from usa, but thought there was something iffy about the e.mail
Just received an e-mail like this today.
Subject Line: United States Postal Email:
Hello
The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.
Thank you for your attention.
UPS Customer.
The attached was: UPS_Document_Nr03740.zip (26KB)
Thank goodness, I research first before opening it, because UPS don’t have my e-mail address.
Found this in my spam mail today. Was thrown for a loop, since I am actually waiting for something sent through USPS. Glad I looked it up before even considering opening the attachment. Mine was sent from the address “UPS Services (federal@usps.com)” with the message:
“Good day!
Your parcel has arrived at the post office on October 13.
Our Driver was unable to deliver the parcel to your address.
To receive a parcel you must go to the nearest UPS office and show your mailing label.
You need to print mailing label, and show it in UPS office to receive the parcel.
Thank you.
UPS Global Mail.”
Rather funny, considering I didn’t order what I’m waiting for until the 19th.
I got the same thing today and as of now, this message is posted on the USPS website.
Before you call…
Customers may be receiving email messages or phone calls that allege to be from the U.S. Postal Service that contain fraudulent information about attempted or intercepted package delivery.
For emails: If opened, the messages instruct customers to click on a link to find out more about when they can expect delivery of their “package.” Simply delete the message without taking any further action.
For phone calls: Please do not provide any personal information and let the caller know you’re not interested and hang-up the phone.
The Postal Inspection Service is aware of the problems and are working hard to resolve the issues and shut down the malicious programs.
We regret any inconvenience this may have caused our customers.
It is a scam! I got one today. Please beware of these idiots. Manager@usps.com
Here it is below:
Good afternoon.
Your parcel has arrived at the post office on October 01.
Our Driver was unable to deliver the parcel to your address.
To receive a parcel you must go to the nearest UPS office and show your mailing label.
You need to print mailing label, and show it in UPS office to receive the parcel.
Thank you.
UPS Services.
Sat, October 23, 2010 10:47:58 AMYou need to get a parcel number 167
From: United States Postal Add to Contacts
To: ———-@yahoo.com
UPS_label_ID2287.zip (26KB)
——————————————————————————–
Hello
Your parcel has arrived at the post office on October 10.
Our Driver was unable to deliver the parcel to your address.
To receive a parcel you must go to the nearest UPS office and show your mailing label.
You need to print mailing label, and show it in UPS office to receive the parcel.
Thank you.
UPS Express Services.
This is how my e-mail looked. At the bottom of the message, i guess in white font, it said…
On the basis of these findings I now recommend that the Congress proceed to a consideration of this schedule with a view to its revision and a general reduction of its rates.The report shows that the present method of assessing the duty on raw Wool–this is, by a specific rate on the grease pound (i. e. , unscoured) –operates to exclude wools of high shrinkage in scouring but fine quality from the American market and thereby lessens the range of wools available to the domestic manufacturer; that the duty on scoured wool Of 33 cents per pound is prohibitory and operates to exclude the importation of clean, low-priced foreign wools of inferior grades, which are nevertheless valuable material for manufacturing, and which can not be imported in the grease because of their heavy shrinkage. Such wools, if imported, might be used to displace the cheap substitutes now in use.
My yahoo mail detected the virus. Please do not open.
Does anyone else realize that the email sender is …….@usps.com, but then the email header and body mention _UPS_ which is not the same company.
I have received 2-3 of these A DAY for the last month at my WORK email address, and I am getting tired of it. It all goes into my “Banned Email attachments” folder so I never open them, but it is getting really old……
Just wanted to tell that I recieved the following email today. Seems to be a another variant:
Sender: “USPS Shipping Parcels”
Subject: USPS service. Get your parcel No07611
Message:
”
Dear Customer!
Your package has been returned to the USPS office.
The reason of the return is – Error in the delivery address!
Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the USPS office in order to receive the packages.
Thank you for attention.
USPS Customer Services.
“
I almost fell for this because I sent an express package this evening! These scammers are geniuses, lol. Too bad they can’t put their brains toward legitimate businesses. Glad I looked the scam up before actually opening the file.
Many thanks for your advice, were looking several nights due to this.
Hi,
I have questions regarding this virus campaign :
I have received also such @ last october 2010. Unfortunately I opened the attached file. As a consequence, it has immediately ruined my computer electricity supply wire.
Is it possible ?
My second question is : would it be conceivable that someone sent me this @ on purpose or is such campaign driven anonymously ?
Thanks for your comments and reply
Thankyou for the help, this is my second email and i didn’t know what to think.
will delete it now.
thanks again.
My own said no virus detected should i still download it
My own said
Dear customer.
The parcel was sent your home address.
And it will arrive within 3 business day.
More information and the tracking number are attached in document below.
Thank you.
© 1994-2011 FedEx, Inc. and i opened it and the antivirus was scanning for virus it said no virus detected should i still open it please tell me i’m scared
I got this virus email in my junk mail box. It contained 2 attachments, but I didn’t open them, because the email was way too simplistic to be a genuine email from DHL. Posting this just to make you aware this type of scam exists.
“Dear customer
The parcel was sent your home adress
And it will arrive within 10 business days
More information and the tracking numberare attached in document below.
Thank You© 1994-2011 DHL Express Services, Inc.”
recently received a similar message from DHL. I really believed it was indeed from DHL as I am constantly receiving products via their service. I tried to open zip file, but it did not open, just showed an error. I am on Linux, so I guess I am safe, as this type of virus affect only win computers? Or am I wrong?
I just got my 2nd 1 in from express.deliverys@yahoo.com. The 1st had a ups addy but theyve obviously adapted. Heres the bodytext…
Dear customer
The parcel was sent your home adress
And it will arrive within 10 business days
More information and the tracking number
are attached in document below.
Thank You
© 1994-2011 Express Services, Inc.
The ups almost got me as I was waiting foe something at the time but this was obviously a fake. They need to learn to spell.
What about that?
a mail comming for me as infojaol@express_services.com
Important Information!
Dear customer.
The parcel was sent your home address! And it will arrive within 7
business day.
More information and the traching number are attached in document
below(Access Mail Services).
Thank you.
Best regards.
2011 Express Services International GmbH. All rights reserved.
with attached file named
@Gamal: Yes, the message is very familiar and looks malicious.
From: System Mail To: terrimarkham@yahoo.com 1 Attachment
Re: Express Services
notification #467600344 Sat Apr 16th, 2011 5:27 AM CST Important Information!
Dear customer. The parcel was sent your home
address! And it will arrive
within 7
business day. More information and the
traching number are attached in
document below! Thank you.
Best regards. 2011 Express Services
International GmbH. All rights
reserved. Attachments Access Mail
Services.zip 4KB
I got this message today, april 9, 15 and 16 from infopyunok@Express_Services.com It’s system mail so i can’t reply to it.