Tag Archives: UPS virus

Malware: UPS Delivery Notification Tracking Number

We recently logged some emails with attached two suspicious files:

ups-malware

As you can see, the email has a subject and an address that may seem coming from the UPS, but in reality the email is a scam and it is used to spread as attachment a file named invoiceCM0V9ORWJF23KX8PAP.PDF.exe, that is the executable file of the (in)famous Zbot trojan, used by cybercriminals to monitor the PC of the victims and to steal bank data and other sensitive information.

More information about the attached file:

File: invoiceCM0V9ORWJF23KX8PAP.PDF.exe
Size: 167.2 KB ( 171261 bytes )
SHA256: 2695e33e671c4eee1e55ad534d9b33445a56b8ffeff50b7c63fa12f266de1088
SHA1: 3c0e4f12faef99cc80f8a091a8210b34a2c7c9fb
MD5: 015e60d0ddff09d7df66d926d3793cc8

Malware: United Parcel Service notification #46034

Suspicious email spreading malware:

Return-Path: <info52943@ups.com>
Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru)
From: "United Parcel Service" <info52943@ups.com>
Subject: United Parcel Service notification #46034

Message:

May 2011United Parcel Servicetracking number #18203 Good morningParcel
notificationThe parcel was sent your home adress.And it will arrive within 3 
buisness days. More information and the parcel tracking number are attached in
document below.Thank you United Parcel Service of America (c)153 James Street,
Suite100, Long Beach CA, 90000

Attached there is a file with ZIP extension:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80%)
Status: INFECTED

AVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40%)
Status: INFECTED

Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

Report created by NoVirusThanks Automated Sandbox:

Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - -
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe
Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80
Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - -
File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80
File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80

URLVoid domain analysis:

http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org

IPVoid ipaddress analysis:

http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34