premio
join:2002-02-17
Antelope, CA | UPS packet (ups_invoice.zip) WORM
I'm seeing a lot of these come through the corporate servers, seemingly undetected by McAfee.
Any insight? |
|
Kayrac
Premium
join:2001-09-29
Lee, NH
edit:
July 14th, @05:29PM
| seen a few for another language found by another member on a dif forum, his files downloaded 2 other files, heres what he had to say about it
"i did not go into detail much, but i can say the following about network behaviour:
after execution of UPS_Lieferschein.exe, the previously described requests are made.
afterwards a data file is being downloaded from
hxxp://xxxxxxxx/40E8000800000000000000006C0000015766000000007600000138EB00053051596067
and a tcp connection established to xxxxx on port 1375 with encoded/encrypted content received and transmitted.
at the same time, the infected host tries to connect to several smtp servers (which i blocked), propably to further spread its malware.
there is also a http request made to x.x.net on port 3078:
GET /?bot_id=0&mode=1
the response from the webserver (c&c) contains instructions to for example register a hotmail account.
well, guess what happens now. right, it tries to register and login at hotmail.
i didnt look any deeper at that, just noticed something else:
POSTs to /r.cgi containing a jpg image, propably a screenshot of my desktop, at the following hosts:"
i edited out the ip's etc
if you could send me the files to Kayracc@gmail.com, i'll post it up over there and see if anyone else can take a better look at it
PS this should be detected by mcafee |
|
Kayrac
Premium
join:2001-09-29
Lee, NH
| reply to premio
File ups_invoice.exe received on 07.14.2008 22:58:52 (CET)
Current status: finished
Result: 24/33 (72.73%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.14 Win-Trojan/Downloader.8192.LL
AntiVir 7.8.0.64 2008.07.14 TR/Dldr.Tiny.brm
Authentium 5.1.0.4 2008.07.14 W32/Trojan2.ATAB
Avast 4.8.1195.0 2008.07.14 Win32:Tiny-UR
AVG 7.5.0.516 2008.07.14 SHeur.BWIM
BitDefender 7.2 2008.07.14 Trojan.Downloader.Gadja.C
CAT-QuickHeal 9.50 2008.07.14 TrojanDownloader.Tiny.brm
ClamAV 0.93.1 2008.07.14 Trojan.Agent-30547
DrWeb 4.44.0.09170 2008.07.14 Trojan.DownLoad.1379
eSafe 7.0.17.0 2008.07.14 -
eTrust-Vet 31.6.5954 2008.07.14 Win32/SillyDl.EUC
Ewido 4.0 2008.07.14 -
F-Prot 4.4.4.56 2008.07.14 W32/Trojan2.ATAB
F-Secure 7.60.13501.0 2008.07.14 Trojan-Downloader.Win32.Obitel.a
Fortinet 3.14.0.0 2008.07.14 -
GData 2.0.7306.1023 2008.07.14 Trojan-Downloader.Win32.Obitel.a
Ikarus T3.1.1.26.0 2008.07.14 Trojan-Downloader.Win32.Tiny.brm
Kaspersky 7.0.0.125 2008.07.14 Trojan-Downloader.Win32.Obitel.a
McAfee 5338 2008.07.14 Generic Downloader.ab
Microsoft 1.3704 2008.07.14 Trojan:Win32/Agent.EE
NOD32v2 3266 2008.07.14 Win32/TrojanDownloader.Tiny.NDM
Norman 5.80.02 2008.07.14 -
Panda 9.0.0.4 2008.07.14 Suspicious file
Prevx1 V2 2008.07.14 Malware Downloader
Rising 20.53.02.00 2008.07.14 -
Sophos 4.31.0 2008.07.14 Troj/Agent-HFU
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.14 Trojan Horse
TheHacker 6.2.96.379 2008.07.14 -
TrendMicro 8.700.0.1004 2008.07.14 PAK_Generic.001
VBA32 3.12.6.9 2008.07.13 -
VirusBuster 4.5.11.0 2008.07.14 -
Webwasher-Gateway 6.6.2 2008.07.14 Trojan.Dldr.Tiny.brm
assuming the file i found was the same as yours(which it very well could be)
either you can compare the md5 with mine
MD5...: 6b4ef50e3e21205685cea919ebf93476
or send me it  |
|
AdamV
@co.uk
| reply to premio
I've had three so far today. I get the impression that the trojan itself is relatively common, but no-one is referring to it as the "UPS packet invoice email trojan" (or whatever).
More here:
»veroblog.wordpress.com/2008/07/1···y-email/ |
|
beck
Premium,MVM
join:2002-01-29
On The Road
 ·Verizon BroadbandA..
| reply to premio
UPS Brown Bulletin (from UPS)
Attention Virus Warning
We have become aware there is a fraudulent e-mail being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.
This e-mail attachment contains a virus. We recommend that you do not open the attachment, but delete the e-mail immediately.
UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact customerservice@ups.com.
Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.
Thank you for your attention.
--------------------------------------------------------------------------------
© 2008 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
Click here to unsubscribe the UPS Brown Bulletin.
If you would like to be added to the UPS Brown Bulletin distribution, click here.
For information on UPS's privacy practices refer to the UPS Privacy Policy.
Please do not reply to this e-mail.
--
Some people are like slinkies - not really good for much.
But they bring a smile to your face when pushed down the stairs. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
edit:
July 14th, @08:42PM
| reply to premio
Re: UPS packet (ups_invoice.zip) WORM
The big cheese at work got one of these, she forwarded it to me to look at, I found it was detected as a variant of the Agent trojan.
SAV CE detected it with the current definitions.
My copy (well, the big cheese's) has the same MD5 as Kayrac's.
None of my addresses have been hit, yet. My main address has the world's most powerful spam blocker so I probably won't see it at all there. :D |
|
rfnut
Premium
join:2002-04-27
Fisher, IL | reply to premio
Trend Micro 2006 latest pre-release definitions identified it. But the release definitions did not flag it at all.
Incident name: ups_invoice.exe
Detection name: TROJ_DLOADR.GG |
|
HA Nut
Premium
join:2004-05-13
USA
| reply to premio
I never get to see any of these anymore.  All zip's, exe's and several more are blocked from all email. If someone sends us a zip we really need, it has to be specially pulled from quarantine. (Of course, this also gives us zero day protection from all this junk.  ) |
|
AlexSossa
@co.uk
| reply to premio
On the day this was sent through, I was awaiting a package from UPS, there were hassles at my address, with the road closed off due to a fire....
It got me, I clicked. How annoying. Have identified it as:
Win32.Obitel trojan, although I cannot find a remover. VArious scans have failed, can anyone suggest a removal tool?
Many Thanks |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| said by AlexSossa :
On the day this was sent through, I was awaiting a package from UPS, there were hassles at my address, with the road closed off due to a fire....
It got me, I clicked. How annoying. Have identified it as:
Win32.Obitel trojan, although I cannot find a remover. VArious scans have failed, can anyone suggest a removal tool?
Many Thanks
Submit the file using this info and links to all the vendors -
What AV are you using?
»Security »I think my computer is infected or hijacked. What should I do?
-amy=
--
Proud Member of ASAP
DSLR Phishtracker |
|
Alexsossa
@co.uk | reply to premio
ok will do,
Am using Avast 4.8 |
|
AdamV
@co.uk
| reply to premio
I had four files with three different MD5 hashes. One matched Kayrac's, one of mine I think may have been broken anyway but I had two files with the same hash which is different from the one posted above:
58AC24B1F802990387870D3A5CC2312B
more here:
»veroblog.wordpress.com/2008/07/1···-trojan/ |
|
Kayrac
Premium
join:2001-09-29
Lee, NH
| "MD5 hash of 6B4EF50E3E21205685CEA919EBF93476 which is the same as the one posted by Kayrac on the broadbandreports.com forum. Unfortunately he did not say what the name of the containing zip file was."
it's ups_invoice.zip, no subfolders, just opens to ups_invoice.exe |
|
premio
join:2002-02-17
Antelope, CA
| Mine had a md5 of: 5bf574f62af6ecedbc8d3b43d4ed5f4b
I couldn't send it through gmail or yahoo as it was stripped, and a friendly mod deleted my attachment here
Was this just someone buying a malware creation tool, and packaging their own variant that was different enough on signature to not be detected? |
|
Kayrac
Premium
join:2001-09-29
Lee, NH | did you password protect it?, gmails been annoying me lately |
|
premio
join:2002-02-17
Antelope, CA
edit:
July 15th, @02:08PM
| gmail will not allow me to send a .zip with a .exe in it, encrypted or not. In fact I can not send a zip file, with an encrypted zip file in that contains a .exe.
wtf |
|
FiOS Dan
Premium
join:2001-07-06
Redondo Beach, CA | Same "WTF" here premio...unable to send an encrypted zip file last night via gmail.
--
Courage is being scared to death but saddling up anyway.
|
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | reply to premio
Try renaming the .exe to .txt, then zip w/encryption, and see if it'll go through gmail. |
|
Stem Bolt
Premium
join:2002-11-08
Cleveland, OH
| reply to FiOS Dan
said by FiOS Dan  :Same "WTF" here premio...unable to send an encrypted zip file last night via gmail. Try WinRAR. You can set a password and choose to encrypt the file names within the archive. This will hide the name of the files from Gmail and Yahoo.
--
Dr. Web + BOCLEAN: Anti-Malware + Router/SPI |
|
