View previous topic :: View next topic |
Author |
Message |
Darkside Just Arrived
Joined: 02 Aug 2004 Posts: 2 Location: London, UK
|
Posted: Thu Jul 24, 2008 3:53 pm Post subject: UPS Invoice virus |
|
|
I don't know if anyone else has had any experience with this virus but it is relatively new.
It's being identified as Trj/Agent.JEN by Panda solutions.
It's basically an email that comes through claiming to be a UPS Invoice. Users open the attached file and the virus replaces userinit.exe and possibly msconfig.exe. It then contacts 2 other servers to download a rootkit and malware (antivirusxp 2008/2009).
It's currently not being detected by Norton Antivirus 9.x/10.x and is giving us some concerns. We've only had 2 systems infected so far but with our AV not detecting it, it's obviously a worry.
Has anyone else had any dealings with this?
|
|
Back to top |
|
|
AdamV SF Mod
Joined: 06 Oct 2004 Posts: 24 Location: Leeds, UK
|
|
Back to top |
|
|
Tom Bair SF Boss
Joined: 10 Aug 2002 Posts: 16776955 Location: Portland, Oregon USA
|
Posted: Thu Jul 24, 2008 8:17 pm Post subject: |
|
|
They are being sent to our Admin address here. We receive about 3 to 6 a day. An example of the two:
Quote: |
MDaemon has detected restricted attachments within an email message
-------------------------------------------------------------------
From : qkd@boetticher.com
To : admins@security-forums.com
Subject : UPS Tracking Number 4659428638
Message-ID: <01c8ed37$b5415100$a3535a48@qkd>
---------------------
Attachment(s) removed
---------------------
invoice_8712.zip (INVOICE_8712.exe)
|
and:
Quote: |
-------------------------------------------------------------------
MDaemon has detected restricted attachments within an email message
-------------------------------------------------------------------
From : jrdonfxk@brandspringsolutions.com
To : admins@security-forums.com
Subject : Your parcel is at the customs office
Message-ID: <01c8ed63$b4beaf80$95092e40@jrdonfxk>
---------------------
Attachment(s) removed
---------------------
Tax_Invoice.zip (Tax_Invoice_________________________NHHDLS883298792929.exe)
|
Nothing like this hitting my other email accounts yet.[/b]
|
|
Back to top |
|
|
Darkside Just Arrived
Joined: 02 Aug 2004 Posts: 2 Location: London, UK
|
Posted: Thu Aug 07, 2008 5:34 pm Post subject: |
|
|
It still seems to be doing the rounds at the moment. I've had a number of calls at our remote sites (not under our domain or AD, nor do they have any filtering) reporting this virus. It would seem that XPAntivirus2008/XPSecuritycentre is the main indication to if the machine has been infected.
I've cleaned a number of machines and found a number of various rootkits, trojans and other viruses present. However, none of which seem to follow a pattern. For example,
Remote Site 1) Infected with XPAntivirus2008, Trojan.Blusod, Trojan.Pandex and Joke.Blusod (added by trojan.Blusod).
Remote Site 2) Infected with XPAntivirus2008, Trojan.Srizbi, WinIFixer, Trojan.Virantix.C, WinReanimator, Trojan.Blusod, Joke.Blusod, XPSecurityCentre, Backdoor.Paproxy and Trojan.Vundo.
Remote Site 3) Infected with XPSecurityCentre, Trojan.Vundo, Trojan.Metajuan, Trojan.Vundo.B and Trojan.Lowzones.
All 3 machines were clean of viruses previous to users opening the UPS email. This of course makes it slightly more difficult for us to clean as you're going to get a handful of various viri.
Although, that blog made a very interesting read and is now bookmarked
|
|
Back to top |
|
|
RoboGeek SF Mod
Joined: 13 Jun 2003 Posts: 16777166 Location: LeRoy, IL
|
Posted: Thu Aug 07, 2008 7:17 pm Post subject: |
|
|
I'm seeing alot of the xpav stuff around here - its not just coming through emails. I had it attempt to d/l driveby style on my linux machine. It actually popped up after visiting a website (researching a file) and it told me I had a bunch of w32.*** viruses and 170 some registry errors. I wonder if there isn't a spambot out there sending the stuff too. It is pretty profitable - at least half my customers have clicked and installed, and a few of those even gave them their CC info
|
|
Back to top |
|
|
Darkside Just Arrived
Joined: 02 Aug 2004 Posts: 2 Location: London, UK
|
Posted: Fri Aug 08, 2008 5:23 pm Post subject: |
|
|
Another 2 machines today
I need to find out how this XPAntivirus is getting on the system and past Norton Corp!
|
|
Back to top |
|
|
Mongrel SF Mod
Joined: 30 May 2002 Posts: 8
|
Posted: Fri Aug 08, 2008 5:42 pm Post subject: |
|
|
I haven's seen any yet but this is exactly like the bank account phishing.
In the same manner as a bank *never* emails requests for PII and
account info, UPS *never* sends attachments to their email. The email
*is* the invoice and all the info is self-contained.
For those of us who make money from cleaning up the mess, it’s sort of a
windfall but it's just another example of how gullible the human animal is.
That we would open up an *e-invoice*, when we know we never had
anything shipped, is almost ludicrous.
I mean Geez - every UPS email that concerns a shipment has a tracking
number in the body of the email. Anyone with half an ounce of logic would
know that it is missing and would call UPS about it.
|
|
Back to top |
|
|
AdamV SF Mod
Joined: 06 Oct 2004 Posts: 24 Location: Leeds, UK
|
Posted: Sun Aug 10, 2008 5:53 pm Post subject: |
|
|
The UPS and Customs variants were only ever likely to catch people who might have half expected something, maybe an e-Bay order and the like.
A very similar variation was going around about confirmation of airline ticket purchase for several hundred dollars. This is much more likely (IMHO) to have caught more people, on the basis that they might think "well I know I did not order anything, so maybe someone else has used my credit card or email information. I better check what's going on so I can stop this fraudulent payment". 1, 2, 3 - 0wn3d!
Darkside, I don't have a [polite] answer for why this would get past Norton. My only comment would be that all AV has a flaw if it tries to rely on updating lists of bad things faster than they can spread. Of course, if you have AV1 and you get no virusses, it must be working, right?
Using anti-virus software to keep the elephants away
|
|
Back to top |
|
|
capi SF Senior Mod
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
|
Posted: Mon Aug 11, 2008 1:06 pm Post subject: |
|
|
To paraphrase from a commenter to the article: that's what I've always said!
(nice touch on the spurious relationship, incidentally)
|
|
Back to top |
|
|
PhiBer SF Mod
Joined: 11 Mar 2003 Posts: 20 Location: Your MBR
|
Posted: Mon Aug 11, 2008 5:50 pm Post subject: |
|
|
What I have always said is "developers, developers, developers." Develop secure code!
Just kidding. But in all seriousness now, the only real way to mitigate such risks is with Defense-in-Depth. Make the landscape for infection as small as possible. Use IPSec. Use outbound filtering. Use patching methodologies. Educate your users. Prevent malicious code from entering at the border. If an infection does occur, prevent its prorogation with the correct security policies.
An Antivirus package is only as good as its heuristic engine and the last updated definition file. This is why I never pay for home AV software.
|
|
Back to top |
|
|
Darkside Just Arrived
Joined: 02 Aug 2004 Posts: 2 Location: London, UK
|
Posted: Tue Aug 12, 2008 5:51 pm Post subject: |
|
|
I'm very restricted to solutions. The NHS budget at it's best I suppose...
I've had another 2 come in today. It's definitely down to user negligence, but this isn't a normal working enviroment where we can train the users involved.
|
|
Back to top |
|
|
dayze Just Arrived
Joined: 14 Nov 2010 Posts: 0
|
Posted: Sun Nov 14, 2010 1:46 am Post subject: |
|
|
Contact UPS by phone if you’re ever in doubt about the legitimacy of a UPS email prior to opening it – http://www.upsphonenumber.com/
|
|
Back to top |
|
|
albrnsmith Just Arrived
Joined: 23 Nov 2010 Posts: 0 Location: Spain
|
Posted: Wed Nov 24, 2010 5:44 pm Post subject: |
|
|
Hi All,
Yes ...It downloads a rootkit in order to hide itself in the system and a rogue antivirus which alerts users of unexisiting threats in the computer. It does not spread automatically using its own means.
|
|
Back to top |
|
|
|