dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
2926
share rss forum feed


norwegian
Premium
join:2005-02-15
Outback

1 edit

DHL [noreply@dhl.com]

Mmm.

DHL email:

Return-Path: <vitiatem408@dhl.co.in>
Received: from zim-mta06.web.westnet.com.au (LHLO zim-mta06.web.westnet.com.au) (192.168.39.36) by webmail05.westnet.com.au with LMTP; Wed, 22 Aug 2012 06:25:20 +0800 (WST)
Received: from inbound-mail03.westnet.com.au (inbound-mail03.westnet.com.au [203.10.1.238]) by zim-mta06.web.westnet.com.au (Postfix) with ESMTP id F05DE6042A for <(redacted)@westnet.com.au>; Wed, 22 Aug 2012 06:58:57 +0800 (WST)
X-Ironport-Incoming: 1
Received: from unknown (HELO [201.196.169.98]) ([201.196.169.98])  by inbound-mail03.westnet.com.au with ESMTP; 22 Aug 2012 06:25:59 +0800
X-Spam-Relays-Untrusted: [ip=199.40.206.33 rdns= helo=gateway2e.dhl.com by=cm-mr13 ident=envfrom=intl=0 id=23/77-03268-86BBBFE4 auth= msa=0 ] [ ip=199.40.20.207 rdns=helo=mykulws2393.kul-dc.dhl.com by=gateway2e.dhl.com ident= envfrom=intl=0id= auth= msa=0 ] [ ip=23.252.17.99 rdns=helo=MYKULWS2399.kul-dc.dhl.com by=MYKULWS2395.kul-dc.dhl.com ident=envfrom=intl=0 id=14.1.339.1 auth= msa=0 ] 
Received: from mykulws2393.kul-dc.dhl.com ([199.40.20.207]) by gateway2e.dhl.com with ESMTP/TLS/AES128-SHA; Tue, 21 Aug 2012 16:25:26 -0600
Received: from MYKULWS2362.kul-dc.dhl.com (169.254.5.235) by MYKULWS2393.kul-dc.dhl.com (199.40.20.207) with Microsoft SMTP Server (TLS) id 14.1.339.6; Tue, 21 Aug 2012 16:25:26 -0600
From: "DHL" <noreply@dhl.com>
To: 
Subject: Message has been disinfected : DHL Express Tracking Notification ID A126I7ZI3F1457
Date: Tue, 21 Aug 2012 16:25:26 -0600
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
X-Priority: 3
Message-ID: <KWOG7BFBWHBE9795K00QUVXBFU6RJ50UJDM2SVQI5A3756B8R9SYF1V0MQ6PMY@kul-dc.dhl.com>
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0024_01CD8098.BCD82A80"
 
 

Also there was an attachment:

DHL-Express-Delivery-Notification-Aug2012.exe
Detected: Backdoor.Win32.Androm.gh

22/08/2012 7:02:55 PM

If anyone wants the email?

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

The email probably originated at ip=201.196.169.98, which is assigned to an ISP in Costa Rica.

This appears to have been an attempt to infect the recipient with some sort of malware.

The headers that have "dhl.com" on them are probably forged, so as to through you off-scent.

The mail server for westnet (which I believe to be your ISP), received the mail from 201.196.169.98. The header indicating this is presumably to be trusted (as your ISP server). Any header before that (lower in the message) cannot be trusted.

It is implausible that the real dhl.com would send mail to you via a Costa Rica system, which is why the headers that say so are probably forged.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 14.0.1


norwegian
Premium
join:2005-02-15
Outback
I realize that, and DHL for me here is not normal either.
However someone else might not, especially in a major city with imports/exports using DHL.
This malware is only 1 to 3 months old I believe. In fact, while it was detected, none of the md5 or sha256 via google showed 1 page of info at all. There is a few samples of win32.androm about already though, so I thought it worth posting here.

Just trying to do my bit.

quote:
DHL Express Tracking Prealert : Tue, 21 Aug 2012 16:25:26 -0600
________________________________________
Custom Reference: 427367-5WXXKUUJXEYR
Tracking Number: U61IK-1532776954
Pickup Date: Tue, 21 Aug 2012 16:25:26 -0600
Service: GROUND / AIR
Pieces: 2
________________________________________

Tue, 21 Aug 2012 16:25:26 -0600 - Processing complete successfully
PLEASE REFER TO ATTACHED FILE
________________________________________

________________________________________
Shipment status may also be obtained from our Internet site in USA under hxxp://track.dhl-usa.com or Globally under hxxp://www.dhl.com/track
Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks in advance,
DHL Express @ 2012

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

2 recommendations

said by norwegian:

Just trying to do my bit.

Me too. I was explaining for the benefit of those reading the thread, who don't all have your experience.

Thanks.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 14.0.1


carpetshark3
Premium
join:2004-02-12
Idledale, CO
Reviews:
·CenturyLink
reply to norwegian
I have got spam from all the carriers, DHL being the latest. I only get it in Yahoo Mail, and I don't know how to forward without opening the crap. It's in the spam folder and I JHD it.

I have 2 other mail services - they get spam, but not delivery stuff so far.

Is there a way to get at the headers or forward without having to open the email?


norwegian
Premium
join:2005-02-15
Outback
This link provided by the forum shows how »www.haltabuse.org/help/headers/index.shtml
But even in the spam folder you will have to open it, all restrictions are in place and opening it should not product any infection from the spam folder if all you do is look at the headers and copy/paste them to track the email.

garys_2k
Premium
join:2004-05-07
Farmington, MI
reply to carpetshark3
Right, any malware coming along into a web-based email service won't automatically download to your computer. You can open it safely and access the headers as long as you don't download any attachments.


Bamafan2277

join:2008-09-20
Jeffersonville, IN
reply to norwegian
I've gotten this mail a few times. The big tip off for me is the file is a .exe

If DHL was sending me a reciept etc I would expect a .pdf or .jpg


norwegian
Premium
join:2005-02-15
Outback
Yep, but still it's in a .zip, and that would file would fool a lot of people, even though you can look into the .zip file and see an .exe without opening in.

There was discussion recently about malware, .zip files etc, and if it could work zipped. Still, social engineering would see the untrained who deal with DHL open it to the .exe; after that, who knows.


norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to norwegian
Looks like another.

Subject: DHL Online Advisory AWB 6833398695
Return-Path: shrillyw@amazon.com
Received: from zim-mta03.web.westnet.com.au (LHLO
 zim-mta03.web.westnet.com.au) (192.168.39.33) by webmail05.westnet.com.au
 with LMTP; Mon, 27 Aug 2012 08:40:51 +0800 (WST)
Received: from inbound-mail04.westnet.com.au (unknown [203.10.1.239])
by zim-mta03.web.westnet.com.au (Postfix) with ESMTP id 285AA4D30C
for <norxxxx@westnet.com.au>; Mon, 27 Aug 2012 08:40:58 +0800 (WST)
X-Ironport-Incoming: 1
Received: from unknown (HELO [175.184.248.41]) ([175.184.248.41])
  by inbound-mail04.westnet.com.au with ESMTP; 27 Aug 2012 08:41:51 +0800
Received: from [165.72.200.99] (helo=gateway1i.dhl.com)
        by anchor-hub.mail.demon.net with esmtp id 1Sgyki-00052E-7Y; Mon, 27 Aug 2012 07:41:16 +0700
Received: from czhs0231.prg-dc.dhl.com ([165.72.7.72])
  by gateway1i.dhl.com with ESMTP; Mon, 27 Aug 2012 07:41:16 +0700
Received: (from appsadm@localhost)
        by czhs0231.prg-dc.dhl.com (8.9.3 (PHNE_35950)/8.9.3) id OAA17805; Mon, 27 Aug 2012 07:41:16 +0700
Date: Mon, 27 Aug 2012 07:41:16 +0700
Message-Id: <201207050332.UET99857@czhs0231.prg-dc.dhl.com>
From: webadm@dhl.com
To: 
X-Priority: 3 (Normal)
Subject: DHL Online Advisory AWB 6833398695
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------ihyqjsi"
 
 

DHL_Express-Online_Notification.exe
Detected: Backdoor.Win32.Androm.go


------------------------------------------
DHL WORLDWIDE EXPRESS
INBOUND SHIPMENT ADVISORY

The following 1piece(s) have been sent via DHL Worldwide Express on Mon, 27 Aug 2012 07:41:16 +0700
via AWB# 6447152675

If you wish to track this(these) shipment(s) please contact your local
DHL customer service office or visit the DHL Web Site at
hxxp://www.dhl.com

If you have a Web-enabled mail reader, click the link below to view shipment tracking
details:

hxxp://www.dhl.com/content/en/express/tracking.shtml?brand=DHL&AWB=4890248029

SHIPMENT CONTENTS:
Documents

SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE

ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE

Thank you for requesting DHL Worldwide Express for your delivery needs

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Thanks for that VirusTotal report.

Quite a few AV are not picking this one up.