Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Don't open that file its not from UPS - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Don't open that file its not from UPS

We received two reports of fake UPS invoice tracking Trojan zip files.
This is similar to other invoice Trojans we have seen.

Here is one of the email bodies notice that while this appears to be a two way conversation it was really just the spammer who created the whole thing. The victim did not send UPS an email.
Email header:

To: victims@email.address
Subject: Re: missing package
From: John Henry <>

Email body:

 Mr./Mrs. Victims First and Last name
 I am sorry for this late reply, but we have good news.
 We managed to track your package, and we have attached the
 invoice you asked for to this reply.
 The invoice contains the correct tracking# , since the one
 you gave us was invalid.
 You can use it on the ups website to track your shipment.
 Thank you
 John Henry
 UPS Customer Care Department
 From: victim’s name and email address
 Subject: missing package
 Date: Monday, September 8 , 2008, 10:38 AM
 I have recently used UPS to send a package to my cousin but
 he never received it.
 Also , the tracking number doesn't check on the website, and
 I lost the invoice.
 Can you forward me a copy?
Here you have the tracking# : 03073332100016836200

Original File Name:

9/36 of the virus engines at VT recognized it.

AntiVir 2008.09.16 TR/Crypt.FKM.Gen
Authentium 2008.09.16 W32/Heuristic-VFM!Eldorado
BitDefender 7.2 2008.09.16 MemScan:Trojan.Spy.Delf.NQT
CAT-QuickHeal 9.50 2008.09.16 (Suspicious) - DNAScan
F-Prot 2008.09.16 W32/Heuristic-VFM!Eldorado
Ikarus T3. 2008.09.16 BehavesLike.Win32.Malware

MD5...: 400d16b0b2752eec51ff98597a883109
SHA1..: f1aa065f051af97dcca5bd0717b57f186d4ff85d
SHA256: 3c5600c53f16dd00940154f3e28e8dc06c6b55eb423ea453a1af72b5f76523a0
SHA512: fb6ff9abb2f422a2cda2a9b0de7703ace2d404d75ead7622aa7e789ff0df4152

Thanks TomG for submitting this one.


206 Posts
ISC Handler
Any idea where this is being sourced from - an address or host that can be blocked?

Sign Up for Free or Log In to start participating in the conversation!