UPS Invoice virus

Networking/Security Forums -> Viruses // Worms

Author: DarksideLocation: London, UK PostPosted: Thu Jul 24, 2008 3:53 pm    Post subject: UPS Invoice virus
    ----
I don't know if anyone else has had any experience with this virus but it is relatively new.
It's being identified as Trj/Agent.JEN by Panda solutions.

It's basically an email that comes through claiming to be a UPS Invoice. Users open the attached file and the virus replaces userinit.exe and possibly msconfig.exe. It then contacts 2 other servers to download a rootkit and malware (antivirusxp 2008/2009).

It's currently not being detected by Norton Antivirus 9.x/10.x and is giving us some concerns. We've only had 2 systems infected so far but with our AV not detecting it, it's obviously a worry.

Has anyone else had any dealings with this?

Author: AdamVLocation: Leeds, UK PostPosted: Thu Jul 24, 2008 4:57 pm    Post subject:
    ----
Yes, I wrote about this on my blog last week (July 14th to be precise).
UPS_Invoice.exe trojan received by email
and a follow up post with more details and MD5 hashes for comparison here:
Follow up post about UPS_Invoice trojan

There's also a new variation out which seems to be new today - I haven't found anyone else writing about this one yet:
UPS_Invoice email trojan variant claims to be from Customs Service

Author: Tom BairLocation: Portland, Oregon USA PostPosted: Thu Jul 24, 2008 8:17 pm    Post subject:
    ----
They are being sent to our Admin address here. We receive about 3 to 6 a day. An example of the two:

Quote:

MDaemon has detected restricted attachments within an email message
-------------------------------------------------------------------

From : qkd@boetticher.com
To : admins@security-forums.com
Subject : UPS Tracking Number 4659428638
Message-ID: <01c8ed37$b5415100$a3535a48@qkd>

---------------------
Attachment(s) removed
---------------------
invoice_8712.zip (INVOICE_8712.exe)



and:

Quote:

-------------------------------------------------------------------
MDaemon has detected restricted attachments within an email message
-------------------------------------------------------------------

From : jrdonfxk@brandspringsolutions.com
To : admins@security-forums.com
Subject : Your parcel is at the customs office
Message-ID: <01c8ed63$b4beaf80$95092e40@jrdonfxk>

---------------------
Attachment(s) removed
---------------------
Tax_Invoice.zip (Tax_Invoice_________________________NHHDLS883298792929.exe)



Nothing like this hitting my other email accounts yet.[/b]

Author: DarksideLocation: London, UK PostPosted: Thu Aug 07, 2008 5:34 pm    Post subject:
    ----
It still seems to be doing the rounds at the moment. I've had a number of calls at our remote sites (not under our domain or AD, nor do they have any filtering) reporting this virus. It would seem that XPAntivirus2008/XPSecuritycentre is the main indication to if the machine has been infected.
I've cleaned a number of machines and found a number of various rootkits, trojans and other viruses present. However, none of which seem to follow a pattern. For example,

Remote Site 1) Infected with XPAntivirus2008, Trojan.Blusod, Trojan.Pandex and Joke.Blusod (added by trojan.Blusod).

Remote Site 2) Infected with XPAntivirus2008, Trojan.Srizbi, WinIFixer, Trojan.Virantix.C, WinReanimator, Trojan.Blusod, Joke.Blusod, XPSecurityCentre, Backdoor.Paproxy and Trojan.Vundo.

Remote Site 3) Infected with XPSecurityCentre, Trojan.Vundo, Trojan.Metajuan, Trojan.Vundo.B and Trojan.Lowzones.

All 3 machines were clean of viruses previous to users opening the UPS email. This of course makes it slightly more difficult for us to clean as you're going to get a handful of various viri.

Although, that blog made a very interesting read and is now bookmarked Cool

Author: RoboGeekLocation: LeRoy, IL PostPosted: Thu Aug 07, 2008 7:17 pm    Post subject:
    ----
I'm seeing alot of the xpav stuff around here - its not just coming through emails. I had it attempt to d/l driveby style on my linux machine. It actually popped up after visiting a website (researching a file) and it told me I had a bunch of w32.*** viruses and 170 some registry errors. I wonder if there isn't a spambot out there sending the stuff too. It is pretty profitable - at least half my customers have clicked and installed, and a few of those even gave them their CC info

Author: DarksideLocation: London, UK PostPosted: Fri Aug 08, 2008 5:23 pm    Post subject:
    ----
Another 2 machines today Sad

I need to find out how this XPAntivirus is getting on the system and past Norton Corp!

Author: Mongrel PostPosted: Fri Aug 08, 2008 5:42 pm    Post subject:
    ----
I haven's seen any yet but this is exactly like the bank account phishing.

In the same manner as a bank *never* emails requests for PII and
account info, UPS *never* sends attachments to their email. The email
*is* the invoice and all the info is self-contained.

For those of us who make money from cleaning up the mess, itís sort of a
windfall but it's just another example of how gullible the human animal is.
That we would open up an *e-invoice*, when we know we never had
anything shipped, is almost ludicrous.

I mean Geez - every UPS email that concerns a shipment has a tracking
number in the body of the email. Anyone with half an ounce of logic would
know that it is missing and would call UPS about it.

Author: AdamVLocation: Leeds, UK PostPosted: Sun Aug 10, 2008 5:53 pm    Post subject:
    ----
The UPS and Customs variants were only ever likely to catch people who might have half expected something, maybe an e-Bay order and the like.

A very similar variation was going around about confirmation of airline ticket purchase for several hundred dollars. This is much more likely (IMHO) to have caught more people, on the basis that they might think "well I know I did not order anything, so maybe someone else has used my credit card or email information. I better check what's going on so I can stop this fraudulent payment". 1, 2, 3 - 0wn3d!

Darkside, I don't have a [polite] answer for why this would get past Norton. My only comment would be that all AV has a flaw if it tries to rely on updating lists of bad things faster than they can spread. Of course, if you have AV1 and you get no virusses, it must be working, right?

Using anti-virus software to keep the elephants away

Author: capiLocation: Portugal PostPosted: Mon Aug 11, 2008 1:06 pm    Post subject:
    ----
AdamV wrote:
Using anti-virus software to keep the elephants away

To paraphrase from a commenter to the article: that's what I've always said! Smile

(nice touch on the spurious relationship, incidentally)

Author: PhiBerLocation: Your MBR PostPosted: Mon Aug 11, 2008 5:50 pm    Post subject:
    ----
What I have always said is "developers, developers, developers." Develop secure code! Laughing

Just kidding. But in all seriousness now, the only real way to mitigate such risks is with Defense-in-Depth. Make the landscape for infection as small as possible. Use IPSec. Use outbound filtering. Use patching methodologies. Educate your users. Prevent malicious code from entering at the border. If an infection does occur, prevent its prorogation with the correct security policies.

An Antivirus package is only as good as its heuristic engine and the last updated definition file. This is why I never pay for home AV software.

Author: DarksideLocation: London, UK PostPosted: Tue Aug 12, 2008 5:51 pm    Post subject:
    ----
I'm very restricted to solutions. The NHS budget at it's best I suppose...

I've had another 2 come in today. It's definitely down to user negligence, but this isn't a normal working enviroment where we can train the users involved.

Author: dayze PostPosted: Sun Nov 14, 2010 1:46 am    Post subject:
    ----
Contact UPS by phone if youíre ever in doubt about the legitimacy of a UPS email prior to opening it Ė http://www.upsphonenumber.com/

Author: albrnsmithLocation: Spain PostPosted: Wed Nov 24, 2010 5:44 pm    Post subject:
    ----
Hi All,

Yes ...It downloads a rootkit in order to hide itself in the system and a rogue antivirus which alerts users of unexisiting threats in the computer. It does not spread automatically using its own means.



Networking/Security Forums -> Viruses // Worms


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group