• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

UPS Invoice virus

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
Darkside
Just Arrived
Just Arrived


Joined: 02 Aug 2004
Posts: 2
Location: London, UK

Offline

PostPosted: Thu Jul 24, 2008 3:53 pm    Post subject: UPS Invoice virus Reply with quote

I don't know if anyone else has had any experience with this virus but it is relatively new.
It's being identified as Trj/Agent.JEN by Panda solutions.

It's basically an email that comes through claiming to be a UPS Invoice. Users open the attached file and the virus replaces userinit.exe and possibly msconfig.exe. It then contacts 2 other servers to download a rootkit and malware (antivirusxp 2008/2009).

It's currently not being detected by Norton Antivirus 9.x/10.x and is giving us some concerns. We've only had 2 systems infected so far but with our AV not detecting it, it's obviously a worry.

Has anyone else had any dealings with this?
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Thu Jul 24, 2008 4:57 pm    Post subject: Reply with quote

Yes, I wrote about this on my blog last week (July 14th to be precise).
UPS_Invoice.exe trojan received by email
and a follow up post with more details and MD5 hashes for comparison here:
Follow up post about UPS_Invoice trojan

There's also a new variation out which seems to be new today - I haven't found anyone else writing about this one yet:
UPS_Invoice email trojan variant claims to be from Customs Service
Back to top
View user's profile Send private message Visit poster's website
Tom Bair
SF Boss
SF Boss


Joined: 10 Aug 2002
Posts: 16776955
Location: Portland, Oregon USA

Offline

PostPosted: Thu Jul 24, 2008 8:17 pm    Post subject: Reply with quote

They are being sent to our Admin address here. We receive about 3 to 6 a day. An example of the two:

Quote:

MDaemon has detected restricted attachments within an email message
-------------------------------------------------------------------

From : qkd@boetticher.com
To : admins@security-forums.com
Subject : UPS Tracking Number 4659428638
Message-ID: <01c8ed37$b5415100$a3535a48@qkd>

---------------------
Attachment(s) removed
---------------------
invoice_8712.zip (INVOICE_8712.exe)



and:

Quote:

-------------------------------------------------------------------
MDaemon has detected restricted attachments within an email message
-------------------------------------------------------------------

From : jrdonfxk@brandspringsolutions.com
To : admins@security-forums.com
Subject : Your parcel is at the customs office
Message-ID: <01c8ed63$b4beaf80$95092e40@jrdonfxk>

---------------------
Attachment(s) removed
---------------------
Tax_Invoice.zip (Tax_Invoice_________________________NHHDLS883298792929.exe)



Nothing like this hitting my other email accounts yet.[/b]
Back to top
View user's profile Send private message Visit poster's website
Darkside
Just Arrived
Just Arrived


Joined: 02 Aug 2004
Posts: 2
Location: London, UK

Offline

PostPosted: Thu Aug 07, 2008 5:34 pm    Post subject: Reply with quote

It still seems to be doing the rounds at the moment. I've had a number of calls at our remote sites (not under our domain or AD, nor do they have any filtering) reporting this virus. It would seem that XPAntivirus2008/XPSecuritycentre is the main indication to if the machine has been infected.
I've cleaned a number of machines and found a number of various rootkits, trojans and other viruses present. However, none of which seem to follow a pattern. For example,

Remote Site 1) Infected with XPAntivirus2008, Trojan.Blusod, Trojan.Pandex and Joke.Blusod (added by trojan.Blusod).

Remote Site 2) Infected with XPAntivirus2008, Trojan.Srizbi, WinIFixer, Trojan.Virantix.C, WinReanimator, Trojan.Blusod, Joke.Blusod, XPSecurityCentre, Backdoor.Paproxy and Trojan.Vundo.

Remote Site 3) Infected with XPSecurityCentre, Trojan.Vundo, Trojan.Metajuan, Trojan.Vundo.B and Trojan.Lowzones.

All 3 machines were clean of viruses previous to users opening the UPS email. This of course makes it slightly more difficult for us to clean as you're going to get a handful of various viri.

Although, that blog made a very interesting read and is now bookmarked Cool
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Thu Aug 07, 2008 7:17 pm    Post subject: Reply with quote

I'm seeing alot of the xpav stuff around here - its not just coming through emails. I had it attempt to d/l driveby style on my linux machine. It actually popped up after visiting a website (researching a file) and it told me I had a bunch of w32.*** viruses and 170 some registry errors. I wonder if there isn't a spambot out there sending the stuff too. It is pretty profitable - at least half my customers have clicked and installed, and a few of those even gave them their CC info
Back to top
View user's profile Send private message Visit poster's website
Darkside
Just Arrived
Just Arrived


Joined: 02 Aug 2004
Posts: 2
Location: London, UK

Offline

PostPosted: Fri Aug 08, 2008 5:23 pm    Post subject: Reply with quote

Another 2 machines today Sad

I need to find out how this XPAntivirus is getting on the system and past Norton Corp!
Back to top
View user's profile Send private message
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Fri Aug 08, 2008 5:42 pm    Post subject: Reply with quote

I haven's seen any yet but this is exactly like the bank account phishing.

In the same manner as a bank *never* emails requests for PII and
account info, UPS *never* sends attachments to their email. The email
*is* the invoice and all the info is self-contained.

For those of us who make money from cleaning up the mess, it’s sort of a
windfall but it's just another example of how gullible the human animal is.
That we would open up an *e-invoice*, when we know we never had
anything shipped, is almost ludicrous.

I mean Geez - every UPS email that concerns a shipment has a tracking
number in the body of the email. Anyone with half an ounce of logic would
know that it is missing and would call UPS about it.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Sun Aug 10, 2008 5:53 pm    Post subject: Reply with quote

The UPS and Customs variants were only ever likely to catch people who might have half expected something, maybe an e-Bay order and the like.

A very similar variation was going around about confirmation of airline ticket purchase for several hundred dollars. This is much more likely (IMHO) to have caught more people, on the basis that they might think "well I know I did not order anything, so maybe someone else has used my credit card or email information. I better check what's going on so I can stop this fraudulent payment". 1, 2, 3 - 0wn3d!

Darkside, I don't have a [polite] answer for why this would get past Norton. My only comment would be that all AV has a flaw if it tries to rely on updating lists of bad things faster than they can spread. Of course, if you have AV1 and you get no virusses, it must be working, right?

Using anti-virus software to keep the elephants away
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Aug 11, 2008 1:06 pm    Post subject: Reply with quote

AdamV wrote:
Using anti-virus software to keep the elephants away

To paraphrase from a commenter to the article: that's what I've always said! Smile

(nice touch on the spurious relationship, incidentally)
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Mon Aug 11, 2008 5:50 pm    Post subject: Reply with quote

What I have always said is "developers, developers, developers." Develop secure code! Laughing

Just kidding. But in all seriousness now, the only real way to mitigate such risks is with Defense-in-Depth. Make the landscape for infection as small as possible. Use IPSec. Use outbound filtering. Use patching methodologies. Educate your users. Prevent malicious code from entering at the border. If an infection does occur, prevent its prorogation with the correct security policies.

An Antivirus package is only as good as its heuristic engine and the last updated definition file. This is why I never pay for home AV software.
Back to top
View user's profile Send private message
Darkside
Just Arrived
Just Arrived


Joined: 02 Aug 2004
Posts: 2
Location: London, UK

Offline

PostPosted: Tue Aug 12, 2008 5:51 pm    Post subject: Reply with quote

I'm very restricted to solutions. The NHS budget at it's best I suppose...

I've had another 2 come in today. It's definitely down to user negligence, but this isn't a normal working enviroment where we can train the users involved.
Back to top
View user's profile Send private message
dayze
Just Arrived
Just Arrived


Joined: 14 Nov 2010
Posts: 0


Offline

PostPosted: Sun Nov 14, 2010 1:46 am    Post subject: Reply with quote

Contact UPS by phone if you’re ever in doubt about the legitimacy of a UPS email prior to opening it – http://www.upsphonenumber.com/
Back to top
View user's profile Send private message
albrnsmith
Just Arrived
Just Arrived


Joined: 23 Nov 2010
Posts: 0
Location: Spain

Offline

PostPosted: Wed Nov 24, 2010 5:44 pm    Post subject: Reply with quote

Hi All,

Yes ...It downloads a rootkit in order to hide itself in the system and a rogue antivirus which alerts users of unexisiting threats in the computer. It does not spread automatically using its own means.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register