MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “”Post Express Service. Package is available for pickup! NR1535″.
The email is send from the spoofed address “****” and has the following body:
This is a post notification
Your package has been returned to the Post Express office.
The reason of the return is “Incorrect delivery address of the package”Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.Thank you.
Post Express Service.
The attachedZIP file has the name Post_Express_Label_85211.zip and contains the 29 kB large file Post_Express_Label_85211.exe.
The trojan is known as BC.Heuristic.Trojan.SusPacked.BF-6.A (ClamAV), VirTool:Win32/Injector.gen!BB (Microsoft), TROJ_SPYEYE.SMEP (TrendMicro) or Trj/CI.A (Panda)
The following files will be created:
[file and filename of the sample]
Data can be obtained from following URLs:
- http://interviewbuy.ru/forum/document.doc
- http://interviewbuy.ru/forum/load.php?file=ftpgrabber
- http://interviewbuy.ru/forum/load.php?file=pokergrabber
The following data downloads where started:
http://interviewbuy.ru/forum/load.php?file=0 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=1 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=2 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=3 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=4 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=5 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=6 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=7 %Temp%.tmp
http://interviewbuy.ru/forum/load.php?file=8 %Temp%\A.tmp
http://interviewbuy.ru/forum/load.php?file=9 %Temp%\B.tmp
At the time of writing, only 6 of the 42 AV engines did detect the trojan at Virus Total.
Virus Total permlink and MD5: 64bfd8184f8bfd2c0528993fdfc15e2a.
The downloads contains a malicious backdoor trojan “Backdoor.Agent.AJU” that is capable to run and open TCP ports to connect to public SMTP servers.
The following files are created on the system:
%AppData%\asdfasfas.bat
%AppData%\palladium.exe
%Temp%\_check32.bat
%Windir%\s32.txt
%System%aspimgr.exe
%Windir%\Tasks\At1.job
%Windir%\Tasks\At10.job
%Windir%\Tasks\At11.job
%Windir%\Tasks\At12.job
%Windir%\Tasks\At13.job
%Windir%\Tasks\At14.job
%Windir%\Tasks\At15.job
%Windir%\Tasks\At16.job
%Windir%\Tasks\At17.job
%Windir%\Tasks\At18.job
%Windir%\Tasks\At19.job
%Windir%\Tasks\At2.job
%Windir%\Tasks\At21.job
%Windir%\Tasks\At22.job
%Windir%\Tasks\At23.job
%Windir%\Tasks\At24.job
%Windir%\Tasks\At4.job
%Windir%\Tasks\At5.job
%Windir%\Tasks\At6.job
%Windir%\Tasks\At7.job
%Windir%\Tasks\At8.job
%Windir%\Tasks\At9.job
%Windir%\ws386.ini
New processes are created on the system:
aspimgr.exe
palladium.exe
A running aspimgr service is created on the system with the display name Microsoft ASPI Manager pointing to %System%\aspmgr.exe.
Several Windows registry changes will be exectued. and the following hostname are requested:
- ns.uk2.net
- www.yahoo.com
- www.web.de
- kusika911.ru
A connection with glhkghjfhhfklffr.com on port 80 will be established and the following GET request are made:
- inst.php?id=abs_03&lang=ENU
- index.jpg
.
If you got a suspicious email, you can forward it to us [malware@computersecurityarticles.info], or you also able to submit the malicious file via “Virus Submit“.
Neutralised by Kaspersky on arrival.
It’s the McAfee users i feel sorry for.:(
I got this email too…but thing is one of my packages did get lost and did not go to the person it was supposed to, so I thought it was really real until I saw an exe file and my McAfee blocked it. And also the email CCs some other emails with similar emails addresses like mine, which made me think it was a computer generated thing.
I got this yesterday, thought one of my packages were sent back again. Got fooled into opening the virus due to rushing and not paying attention. Now my home PC is locked up and continuously rebooting, unable to remove in command prompt modes/safe modes. I’m completely lost in how to stop the rebooting from this virus/trojan. I’m willing to read suggestions. Mahalo for your time.
Aloha!
I received this too, and as I had recently returned an Express Post package, I thought it might be legit. But like “Nazmul”, when I saw the exe file I was suspicious and didn’t open it.
I recently order many things online, which I don’t do very often. I also thought it was real until my computer said it wasn’t trusted. I wonder if there is a similar place we all ordered from that caused us to get this? I received this only a few hours ago. I placed orders with sporting decor shops, fathead, football fanatics….places like that.
I too recieved this email 5 days after placing an order online (power tool). It has been a long time since I placed online order. I think it’s a number of sites being compromised. How? Someone is getting our emails when we place our orders. What other info are they getting? Credit Card? hmm….
Just another thought; is it possible our computers are compromised already before we order? something asleep in our computer, waiting for us to place order and getting our info? but probably not. Just a thought for the rest of the gurus to figure out.
MauiBoy – Re-install windows from the CD -, change your boot device on the Startup to CDrom, and boot from CD.
how do u get rid of the trojan virus once its on ur system…my avg anti virus thing pops up ever 3 mins approx tellin me theres viruses on my system
I got this message also but when i opened it ,i have to use winrar for it. but it was not opening. I have to call the post express office to comfirm the message, but to no avail. thank God for the strong antivirus I have in my PC.
I received this and almost opened it till I saw the .exe file. Funny thing is, as mentioned above, I had just placed an order on meritline.com, and it was due to ship the same day I received this garbage email. It too had CC’d other similar names….
AVG got it on arrival, excellent free antivirus
Anche io ho ricevuto questa mail e guardacaso aspettavo un pacco proprio il giorno che mi è arrivata la mail ed ho lasciato perdere per vedere se effettivamente mi fosse arrivato,passati 2 giorni non era ancora arrivato niente e mi è venuto il dubbio di aprire la mail,ma quando ho provato ad aprirla mi è venuto subito qualche dubbio,che mi sono subito tolto ricercando su google “Post Express Office” dove alla fine sono arrivato effettivamente a capire che si trattasse di un trojan!
Quello che mi domando è:come fanno questi stronzi ad impossessarsi dei miei dati e soprattutto quali dati massimo riescono ad ottenere?
Una cosa è sicura…che sono dei gran fiji de na mignotta!!
Living in Holland, I got this same mail today, 10 march 2011. Fortunately ESET NOD 32 antivirus recognized it and did put it already in de “suspicious mail” -mailbox. So I first looked on the internet and discovered this site. Now I know it’s malicious software and I have deleted it without opening the attachment. Good to have sites like this!
I just got this today. It did not have any emails CC’s as others have posted, but and the attachment was a zip file.
I received this email this morning, thought it suspicious so I scanned the attachment with my Symantec Corporate antivirus…NO trojan was detected, so it’s not just McAfee users that have to be worried…
I also received this e-mail (a few times), but I don’t think it must be connected with placing orders. I have two e-mail addresses – one used only for buying online and loging on web portals, and the second one only for correspondence. I buy online quite often, from different sites and different countries, and the ‘Post Express Service’ virus comes frequently, BUT only for this address used exclusively for correspondence. I never got it for the address used for buying/loging.
I got this today, but won’t open it. Sometimes will get a UPS msg of the same type.
I got this thing and like an idiot I opened it. Was hoping Anti-Vir would stop it if it was bad, but it didn’t. Shut down, wouldn’t reboot, tried reinstalling, but that won’t work either. It formats, then loses the format, restarts and then starts over. Any suggestions?
I got the same email on Feb 10th, thought to see what message in the zip file, did not pay attention to the file name, after double clicked on the file, no window was openned to display the message. When I checked the file name again, found it is a exe file. Shot! I had already run it. No thing happened at the time. I deleted the email although it was too late. I shuted down my laptop, went out.
After coming back home, turn on laptop, the BIOS boot started, then just stopped there.
Shutted down the power, then turn the power on, pressed F8, till see the boot option menu, selected Safe Mode, press Enter, then window went to black.
Tried different option to start, no luck!
I have many useful files in my laptop(Windows XP), not backed up yet.
Help! Is the reinstall XP the only way to recover my laptop? Will my files be lost?
Many thanks1
How do you get rid of this virus?! I don’t know what to do.. I ran malaware bytes but they didn’t detect anything.. and I deleted the zip file of this virus. but please I need help getting this off!
I saw this email on my phone and deleted it instantly…it never showed up in my outlook mailbox but Symantec Corporate gave me a message that it had been detected and deleted. However, now my outlook is hosed and I can’t send or receive email on my laptop but keep getting prompted to use inbox repair which I can not find. I have never heard of malware that can execute even when you do not open it?! Any help/suggestions are appreciated.
I’ve received this mail several times in the last couple of weeks. I’m assuming from different addresses as each time I have blocked the sender. Luckily I read it on my iPhone the first time I received it, as otherwise I may have opened the attachment. I order lots of things online, but I was suspicious that there was no personal information in the email, my name, address or even who I was supposedly receiving a package from.
Hoy recibí este mail, como lo noté sospechoso lo eliminé inmediatamente sin abrirlo.
Luego me puse a buscar en Internet y me encontré con esto.
Espero que a pesar de todo no haya afectado mi pc.
Hasta ahora no he notado nada extraño.
I’m in China.I got it this morning. I’m really curious about it. Thanks god I didn’t open it.
I received this e-mail today. It went straight into junk mail and had a list of e-mail addresses in the cc bar, so I deleted straight away. Thought it was suspious so found this website after reading other peoples experiences glad I checked.