Topic 'UPS packet (ups_invoice.zip) WORM' in forum 'Security' - dslreports.com

Re: UPS packet (ups_invoice.zip) WORM

Mon, 28 Jul 2008 14:39:30 EDT

anon posted : For any Vista users out there, this installs in a completely different place and way then the other Win OSes.
It drops teh ntos.exe file in C:\user\your_username\appdata\roaming
The audio.dll and video.dll are dropped in:
C:\user\your_username\appdata\roaming\wsnpoem

I booted into safemode, changed the folder options to see hidden and protected operating system files and folders, then deleted the wmspoem folder and the ntos.exe file.

Rebooted and logged in and then went into the registry, under HKUsers\S-1-5-21-* long SID string, the Non Classes one\Software\Microsoft\Windows\Currentversion\Run and deleted teh reg key that pointed to ntos.exe. After that the machine was working fine.

Re: UPS packet (ups_invoice.zip) WORM

Mon, 28 Jul 2008 10:41:11 EDT

amysheehan posted :

said by premio:

I'm seeing a lot of these come through the corporate servers, seemingly undetected by McAfee.

Any insight?

Here's what I found.
Note: McAfee comments in article
»www.vnunet.com/vnunet/news/22225···invoices

-amy-
--
Proud Member of ASAP
DSLR Phishtracker

Re: UPS packet (ups_invoice.zip) WORM

Fri, 25 Jul 2008 16:38:48 EDT

kpatz posted : Here's another variation a co-worker received:

quote:
From: Jackie Gleason" Continental Airlines [mailto:(removed)]
Sent: Friday, July 25, 2008 2:26 PM
To: (My coworker)
Subject: Your order from {airlines} N5240753

Good day,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: David
Your password: pass3GR9

Your credit card has been charged for $423.90.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Jackie Gleason
Continental Airlines

It had 2 files attached: another copy of the email (but with different names--I don't know if it came in that way or if my co-worker forwarded it that way), and a file called E-ticket_N7399294.zip.

e3254936ed358457ed303529e7c2fa8f  E-ticket_N7399294_and_Invoice_for_N73992943442.exe68370361733b8f768a84c430c22dc06e  E-ticket_N7399294.zip

Scan results on my Linux box:

Scanning with clamav: E-ticket_N7399294_and_Invoice_for_N73992943442.exe/home/kpatz/E-ticket_N7399294_and_Invoice_for_N73992943442.exe: Trojan.Zbot-1715 FOUND ----------- SCAN SUMMARY -----------Infected files: 1Time: 7.391 sec (0 m 7 s) Scanning with f-prot: E-ticket_N7399294_and_Invoice_for_N73992943442.exe F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)FRISK Software International (C) Copyright 1989-2007 Engine version: 4.4.4.56Virus signatures: 2008072515489bbd19ce2aeeb422702f2f2adda83930                  (/usr/local/f-prot/antivir.def) [Found trojan]        E-ticket_N7399294_and_Invoice_for_N73992943442.exe Running time: 00:10 Scanning with AVG: E-ticket_N7399294_and_Invoice_for_N73992943442.exeAVG7 Anti-Virus command line scannerCopyright (c) 2007 GRISOFT, s.r.o.Program version 7.5.51, engine 442Virus Database: Version 270.5.6/1574  2008-07-25License type is FREE.E-ticket_N7399294_and_Invoice_for_N73992943442.exe  Trojan horse Pakes_c.SATested: 1 files, 0 sectorsInfections: 1Errors: 0 Scanning with AVAST: E-ticket_N7399294_and_Invoice_for_N73992943442.exe/home/kpatz/E-ticket_N7399294_and_Invoice_for_N73992943442.exe  [OK]

--
When providing an online service, such as email, 5% of the work goes into providing the service, and the other 95% goes into preventing or dealing with abusers of the service.

Re: UPS packet (ups_invoice.zip) WORM

Fri, 25 Jul 2008 13:25:22 EDT

anon posted : I'm looking for the outbound address this contacts - we've had several machines compromised by this as well, and I'd like to add an outbound firewall rule to block connection to the C&C server for the time being. I'm sure they'll change that address at some point, but if I can at least contain the problem until the AV vendors catch up with this...

Re: UPS packet (ups_invoice.zip) WORM

Thu, 24 Jul 2008 20:01:12 EDT

Phil posted : I've been getting them at the office as well. Mail server's Kaspersky anti-virus is not picking them up although NOD32 running on client PCs is.

Re: UPS packet (ups_invoice.zip) WORM

Thu, 24 Jul 2008 20:00:07 EDT

kpatz posted :

said by AdamV :

A further variation on this theme seems to have appeared today, claiming to be from the customs service who are holding a parcel:
»veroblog.wordpress.com/2008/07/2···service/

My boss got this one too. She forwarded me a copy to examine, which was handy since I used it to test my updated spam filter with virus scan capability. :)

8ceb0f61089d86c086dcc08d6a783015 Tax_Invoice_________________________NHHDLS883298792929.exe
959c5eebf417181ba8bc59ba8572cc41 Tax_Invoice.zip

Clam and F-prot detect it presently, but AVG and Avast don't. I haven't tried any other scanners, or Jotti/Virustotal yet. I'll submit it. ;)
--
When providing an online service, such as email, 5% of the work goes into providing the service, and the other 95% goes into preventing or dealing with abusers of the service.

Re: UPS packet (ups_invoice.zip) WORM

Thu, 24 Jul 2008 19:26:54 EDT

FiOS Dan posted :

said by CKizer:

Here is the analysis:

»www.virustotal.com/analisis/1725···6f92b5b0

Not a pretty sight. :(
--
Courage is being scared to death but saddling up anyway.

Re: UPS packet (ups_invoice.zip) WORM

Thu, 24 Jul 2008 18:24:54 EDT

CKizer posted :

said by AdamV :

A further variation on this theme seems to have appeared today, claiming to be from the customs service who are holding a parcel:
»veroblog.wordpress.com/2008/07/2···service/

Here is the analysis:

»www.virustotal.com/analisis/1725···6f92b5b0
--
Crunching for Help Defeat Cancer and FightAIDS@Home at the World Community Grid.

Re: UPS packet (ups_invoice.zip) WORM

Thu, 24 Jul 2008 12:28:30 EDT

anon posted : A further variation on this theme seems to have appeared today, claiming to be from the customs service who are holding a parcel:
»veroblog.wordpress.com/2008/07/2···service/

Re: UPS packet (ups_invoice.zip) WORM

Sun, 20 Jul 2008 11:52:21 EDT

trburkholder posted : md5sum of ups_invoice.zip 5b70ee6faffa80461eb3dff854b69d5c
md5sum of ups_invoice.exe 20c03fdaa12c08e36a26c7ace3ce3403

ClamAV 0.92.1 doesn't recognize this as a trojan.

Re: UPS packet (ups_invoice.zip) WORM

Wed, 16 Jul 2008 12:53:07 EDT

jbob posted : OT: For those with issues with Gmail and exe files see this link:
»mail.google.com/support/bin/answ···wer=6590

As a security measure to prevent potential viruses, Gmail doesn't allow you to send or receive executable files (such as files ending in .exe) that could contain damaging executable code.

Gmail won't accept these types of files even if they are sent in a zipped (.zip, .tar, .tgz, .taz, .z, .gz) format. If this type of message is sent to your Gmail address, it is bounced back to the sender automatically.

I suppose you could rename the extension to anything but exe and leave instructions. Or double compress the file. Zip it then RAR/7zip, etc, might help.

Edit: Added...verified renaming works as well as double compression archiving.

Re: UPS packet (ups_invoice.zip) WORM

Wed, 16 Jul 2008 03:48:28 EDT

anon posted :

said by zteardrop:

said by AlexSossa :

On the day this was sent through, I was awaiting a package from UPS, there were hassles at my address, with the road closed off due to a fire....

It got me, I clicked. How annoying. Have identified it as:

Win32.Obitel trojan, although I cannot find a remover. VArious scans have failed, can anyone suggest a removal tool?

Many Thanks

Please tell me this was a coincidence. If not then you have bigger problems.

yup total coincidence.
Just my luck I guess, was half asleep at the time.

Re: UPS packet (ups_invoice.zip) WORM

Wed, 16 Jul 2008 02:12:41 EDT

zteardrop posted :

Please tell me this was a coincidence. If not then you have bigger problems.
--
The official Norton Forum from Symantec: »community.norton.com/norton/ - where you really are allowed to say good things about Norton without getting banned !!

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 20:41:36 EDT

premio posted : I understand and support the need to protect the end user, but I do not like this Windows, hide everything and do it automatically, approach. There should be a way to over-ride these precautions. I can't believe Google jumped into this mindset.

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 20:38:28 EDT

Doctor Olds posted :

said by Stem Bolt:

Try WinRAR. You can set a password and choose to encrypt the file names within the archive. This will hide the name of the files from Gmail and Yahoo.

I second the WinRAR recommendation and you can get a free older version 3.51 that has a non-upgradeable licence here:

»[Free] Fully Registered WinRAR 3.51 (non-upgradeable)
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 18:32:48 EDT

Stem Bolt posted :

said by FiOS Dan:

Same "WTF" here premio...unable to send an encrypted zip file last night via gmail. :(

Try WinRAR. You can set a password and choose to encrypt the file names within the archive. This will hide the name of the files from Gmail and Yahoo.
--
Dr. Web + BOCLEAN: Anti-Malware + Router/SPI

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 15:42:30 EDT

kpatz posted : Try renaming the .exe to .txt, then zip w/encryption, and see if it'll go through gmail.

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 14:39:56 EDT

FiOS Dan posted : Same "WTF" here premio...unable to send an encrypted zip file last night via gmail. :(
--
Courage is being scared to death but saddling up anyway.

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 14:08:25 EDT

premio posted : gmail will not allow me to send a .zip with a .exe in it, encrypted or not. In fact I can not send a zip file, with an encrypted zip file in that contains a .exe.

wtf

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 13:13:59 EDT

Kayrac posted : did you password protect it?, gmails been annoying me lately

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 12:45:40 EDT

premio posted : Mine had a md5 of: 5bf574f62af6ecedbc8d3b43d4ed5f4b

I couldn't send it through gmail or yahoo as it was stripped, and a friendly mod deleted my attachment here :)

Was this just someone buying a malware creation tool, and packaging their own variant that was different enough on signature to not be detected?

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 11:06:10 EDT

Kayrac posted : "MD5 hash of 6B4EF50E3E21205685CEA919EBF93476 which is the same as the one posted by Kayrac on the broadbandreports.com forum. Unfortunately he did not say what the name of the containing zip file was."

it's ups_invoice.zip, no subfolders, just opens to ups_invoice.exe :)

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 11:03:24 EDT

anon posted : I had four files with three different MD5 hashes. One matched Kayrac's, one of mine I think may have been broken anyway but I had two files with the same hash which is different from the one posted above:
58AC24B1F802990387870D3A5CC2312B
more here:
»veroblog.wordpress.com/2008/07/1···-trojan/

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 04:39:41 EDT

anon posted : ok will do,

Am using Avast 4.8

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 04:25:19 EDT

amysheehan posted :

Submit the file using this info and links to all the vendors -
What AV are you using?

»Security »I think my computer is infected or hijacked. What should I do?

-amy=
--
Proud Member of ASAP
DSLR Phishtracker

Re: UPS packet (ups_invoice.zip) WORM

Tue, 15 Jul 2008 03:57:38 EDT

anon posted :
On the day this was sent through, I was awaiting a package from UPS, there were hassles at my address, with the road closed off due to a fire....

It got me, I clicked. How annoying. Have identified it as:

Win32.Obitel trojan, although I cannot find a remover. VArious scans have failed, can anyone suggest a removal tool?

Many Thanks

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 23:44:27 EDT

HA Nut posted : I never get to see any of these anymore. :( All zip's, exe's and several more are blocked from all email. If someone sends us a zip we really need, it has to be specially pulled from quarantine. (Of course, this also gives us zero day protection from all this junk. ;) )

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 22:50:28 EDT

rfnut posted : Trend Micro 2006 latest pre-release definitions identified it. But the release definitions did not flag it at all.

Incident name: ups_invoice.exe
Detection name: TROJ_DLOADR.GG

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 20:35:02 EDT

kpatz posted : The big cheese at work got one of these, she forwarded it to me to look at, I found it was detected as a variant of the Agent trojan.

SAV CE detected it with the current definitions.

kpatz@zuul:~$ ls -l UPS*-rw-r--r-- 1 kpatz kpatz 5420 2008-07-14 13:58 UPS_Invoice_317.zipkpatz@zuul:~$ unzip UPS*Archive:  UPS_Invoice_317.zip   creating: UPS_Invoice_317/   creating: UPS_Invoice_317/Ups_invoice/  inflating: UPS_Invoice_317/Ups_invoice/UPS_INVOICE.exekpatz@zuul:~$ cd UPS*kpatz@zuul:~/UPS_Invoice_317$ cd Ups*kpatz@zuul:~/UPS_Invoice_317/Ups_invoice$ ls -ltotal 8-rw-r--r-- 1 kpatz kpatz 8192 2008-07-13 19:16 UPS_INVOICE.exekpatz@zuul:~/UPS_Invoice_317/Ups_invoice$ md5sum *6b4ef50e3e21205685cea919ebf93476  UPS_INVOICE.exekpatz@zuul:~/UPS_Invoice_317/Ups_invoice$ clamdscan UPS*/home/kpatz/UPS_Invoice_317/Ups_invoice/UPS_INVOICE.exe: Trojan.Agent-30547 FOUND ----------- SCAN SUMMARY -----------Infected files: 1Time: 0.017 sec (0 m 0 s)kpatz@zuul:~/UPS_Invoice_317/Ups_invoice$ fpscan UPS* F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10)FRISK Software International (C) Copyright 1989-2007 Engine version: 4.4.4.56Virus signatures: 2008071415427fe6e809e5301f82aca02e1a890f8a03                  (/usr/local/f-prot/antivir.def) [Found trojan]        UPS_INVOICE.exe Disinfect (Y/N/A/Q) ?

My copy (well, the big cheese's) has the same MD5 as Kayrac's.

None of my addresses have been hit, yet. My main address has the world's most powerful spam blocker so I probably won't see it at all there. :D

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 19:24:43 EDT

beck posted : UPS Brown Bulletin (from UPS)

Attention Virus Warning

We have become aware there is a fraudulent e-mail being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.

This e-mail attachment contains a virus. We recommend that you do not open the attachment, but delete the e-mail immediately.

UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact customerservice@ups.com.

Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.

Thank you for your attention.

--------------------------------------------------------------------------------

© 2008 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.

Click here to unsubscribe the UPS Brown Bulletin.

If you would like to be added to the UPS Brown Bulletin distribution, click here.

For information on UPS's privacy practices refer to the UPS Privacy Policy.
Please do not reply to this e-mail.
--
Some people are like slinkies - not really good for much.
But they bring a smile to your face when pushed down the stairs.

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 18:40:55 EDT

anon posted : I've had three so far today. I get the impression that the trojan itself is relatively common, but no-one is referring to it as the "UPS packet invoice email trojan" (or whatever).

More here:
»veroblog.wordpress.com/2008/07/1···y-email/

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 17:28:33 EDT

Kayrac posted : File ups_invoice.exe received on 07.14.2008 22:58:52 (CET)
Current status: finished

Result: 24/33 (72.73%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.14 Win-Trojan/Downloader.8192.LL
AntiVir 7.8.0.64 2008.07.14 TR/Dldr.Tiny.brm
Authentium 5.1.0.4 2008.07.14 W32/Trojan2.ATAB
Avast 4.8.1195.0 2008.07.14 Win32:Tiny-UR
AVG 7.5.0.516 2008.07.14 SHeur.BWIM
BitDefender 7.2 2008.07.14 Trojan.Downloader.Gadja.C
CAT-QuickHeal 9.50 2008.07.14 TrojanDownloader.Tiny.brm
ClamAV 0.93.1 2008.07.14 Trojan.Agent-30547
DrWeb 4.44.0.09170 2008.07.14 Trojan.DownLoad.1379
eSafe 7.0.17.0 2008.07.14 -
eTrust-Vet 31.6.5954 2008.07.14 Win32/SillyDl.EUC
Ewido 4.0 2008.07.14 -
F-Prot 4.4.4.56 2008.07.14 W32/Trojan2.ATAB
F-Secure 7.60.13501.0 2008.07.14 Trojan-Downloader.Win32.Obitel.a
Fortinet 3.14.0.0 2008.07.14 -
GData 2.0.7306.1023 2008.07.14 Trojan-Downloader.Win32.Obitel.a
Ikarus T3.1.1.26.0 2008.07.14 Trojan-Downloader.Win32.Tiny.brm
Kaspersky 7.0.0.125 2008.07.14 Trojan-Downloader.Win32.Obitel.a
McAfee 5338 2008.07.14 Generic Downloader.ab
Microsoft 1.3704 2008.07.14 Trojan:Win32/Agent.EE
NOD32v2 3266 2008.07.14 Win32/TrojanDownloader.Tiny.NDM
Norman 5.80.02 2008.07.14 -
Panda 9.0.0.4 2008.07.14 Suspicious file
Prevx1 V2 2008.07.14 Malware Downloader
Rising 20.53.02.00 2008.07.14 -
Sophos 4.31.0 2008.07.14 Troj/Agent-HFU
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.14 Trojan Horse
TheHacker 6.2.96.379 2008.07.14 -
TrendMicro 8.700.0.1004 2008.07.14 PAK_Generic.001
VBA32 3.12.6.9 2008.07.13 -
VirusBuster 4.5.11.0 2008.07.14 -
Webwasher-Gateway 6.6.2 2008.07.14 Trojan.Dldr.Tiny.brm

assuming the file i found was the same as yours(which it very well could be)

either you can compare the md5 with mine
MD5...: 6b4ef50e3e21205685cea919ebf93476

or send me it :)

Re: UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 16:41:35 EDT

Kayrac posted : seen a few for another language found by another member on a dif forum, his files downloaded 2 other files, heres what he had to say about it

"i did not go into detail much, but i can say the following about network behaviour:

after execution of UPS_Lieferschein.exe, the previously described requests are made.
afterwards a data file is being downloaded from
hxxp://xxxxxxxx/40E8000800000000000000006C0000015766000000007600000138EB00053051596067
and a tcp connection established to xxxxx on port 1375 with encoded/encrypted content received and transmitted.
at the same time, the infected host tries to connect to several smtp servers (which i blocked), propably to further spread its malware.

there is also a http request made to x.x.net on port 3078:
GET /?bot_id=0&mode=1

the response from the webserver (c&c) contains instructions to for example register a hotmail account.
well, guess what happens now. right, it tries to register and login at hotmail.
i didnt look any deeper at that, just noticed something else:

POSTs to /r.cgi containing a jpg image, propably a screenshot of my desktop, at the following hosts:"

i edited out the ip's etc

if you could send me the files to Kayracc@gmail.com, i'll post it up over there and see if anyone else can take a better look at it

PS this should be detected by mcafee

UPS packet (ups_invoice.zip) WORM

Mon, 14 Jul 2008 15:04:52 EDT

premio posted : I'm seeing a lot of these come through the corporate servers, seemingly undetected by McAfee.

Any insight?