Tag Archives: ups-document-exe

Malware: United Parcel Service notification #46034

Suspicious email spreading malware:

Return-Path: <info52943@ups.com>
Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru)
From: "United Parcel Service" <info52943@ups.com>
Subject: United Parcel Service notification #46034

Message:

May 2011United Parcel Servicetracking number #18203 Good morningParcel
notificationThe parcel was sent your home adress.And it will arrive within 3 
buisness days. More information and the parcel tracking number are attached in
document below.Thank you United Parcel Service of America (c)153 James Street,
Suite100, Long Beach CA, 90000

Attached there is a file with ZIP extension:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80%)
Status: INFECTED

AVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40%)
Status: INFECTED

Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

Report created by NoVirusThanks Automated Sandbox:

Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - -
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe
Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80
Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - -
File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80
File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80

URLVoid domain analysis:

http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org

IPVoid ipaddress analysis:

http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34