A combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR2204780″ has made that MX Lab noted the highest virus detection rate since months.
The possible subjects are (numbers are random):
UPS INVOICE NR9094991
Delivery Problem NR2204780
The body of the email:
Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.
Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.
The email contains the zip archive upsinvoice3325037.zip, once extracted the 36 kB large file UPSINVOICE.exe is available.
The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).
The following files are created:
%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll
The following modules will be loaded into the address space of other process(es):
%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000
%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000
%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000
The trojan can establish a remote connection with the following hosts on port 80:
85.87.17.230
89.149.202.142
95.211.27.238
Data will be requested fromt he following web sites:
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe
Virus Total permlink and MD5: 493c929efe366812cd6fc921c2b549fc.
View full post on mxlab – all about anti virus and anti spam
I just received a UPS invoice nr.3053109, of which I think contains a virus.
Hi Constance, yes that is a virus. Please delete it immediately or you can forward that email to admin@computersecurityarticles.info for analysis. Thanks.
Just a note to say these are still floating around. Funny, the one I just received provided its own flag in the form of the senders e-mail addy being USPS@USPS.com while the subject states “UPS Invoice copy N7053″. Cheers!
(Btw, wasn’t detected by Avast which is usually quite proficient.)
I just received a UPS Invoice copy N66817, i’m not sure of it is a virus, thanks from Holland
I recived an UPS email with the NR.zip file and unfortunately clicked on the attachment. It appeared to be downloded in the documents. I didn’t further open the zip file so I am thinking the virus is not extracted from the file. My computer is working fine. But now I can’t find this file to delete it from my computer. went thru all the document files, zip files and exe files.. Ran security software and windows defender and nothing was found. I deleted all the temporary internet files. Any idea where this file could be? Thanks.
Is there step-by-step instructions somewhere on what to do if we get this virus? I knew better then to open it…argg!
Is there step-by-step instructions somewhere on what to do if we get this virus? I knew better then to open it…argg! My virus protection didn’t catch it.
My mom accidentally opened this, and downloaded/opened the zip file. Fortunately for her, it contained an .exe file, which couldn’t be opened by her Mac. These emails are still going around in a variety of forms.
I opened the file, because I was sure it was okay as it had the USPS logo on it… However, ever since my mail program on my Mac has not been working. What does this mean?
Can I get rid of it, or what?
Please help.
Hi T, you can send the attachment to us via Virus Submit. Most likely it is a trojan. Thanks!
If you’re ever in doubt about the legitimacy of an email from UPS be sure to contact them first prior to opening it – UPS Phone Number