Don't open that invoice.zip file its not from UPS

[tomron]

We received two reports of fake UPS invoice tracking Trojan zip files.
This is similar to other invoice Trojans we have seen. .....

http://isc.sans.org/

[Moderator_]

We received two reports of fake UPS invoice tracking Trojan zip files.
This is similar to other invoice Trojans we have seen. .....

isc.sans.org/

source:

http://myitforum.com/cs2/blogs/cmosby/archive/2008/09/17/don-t-open-that-invoice-zip-file-its-not-from-ups-sans-internet-storm-center.aspx





Don't open that invoice.zip file its not from UPS - SANS Internet Storm Center
Don't open that invoice.zip file its not from UPS
Published: 2008-09-16,
Last Updated: 2008-09-16 20:15:52 UTC
by xxxx xxxx (Version: 1)
1 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5051&rss'; digg_title = 'Don\'t open that invoice.zip file its not from UPS'; digg_skin='compact'; digg_topic = 'security';

We received two reports of fake UPS invoice tracking Trojan zip files.
This is similar to other invoice Trojans we have seen.

Here is one of the email bodies notice that while this appears to be a two way conversation it was really just the spammer who created the whole thing. The victim did not send UPS an email.
Email header:

To: victims@email.address
Subject: Re: missing package
From: John Henry <johnhenry.support@ups.com>
Reply-To: johnhenry.support@ups.com

Email body:

 Mr./Mrs. Victims First and Last name
 
 I am sorry for this late reply, but we have good news.
 
 We managed to track your package, and we have attached the
 invoice you asked for to this reply.
 
 The invoice contains the correct tracking# , since the one
 you gave us was invalid.
 
 You can use it on the ups website to track your shipment.
 
 Thank you
 John Henry
 UPS Customer Care Department
 
 
 From: victim’s name and email address
 Subject: missing package
 To: support@ups.com
 Date: Monday, September 8 , 2008, 10:38 AM
 
 I have recently used UPS to send a package to my cousin but
 he never received it.
 
 Also , the tracking number doesn't check on the website, and
 I lost the invoice.
 
 Can you forward me a copy?
 
 
 
Here you have the tracking# :xxxxxxxxxxxxxxxx


 
Original File Name: invoice.zip

9/36 of the virus engines at VT recognized it.

AntiVir 7.8.1.28 2008.09.16 TR/Crypt.FKM.Gen
Authentium 5.1.0.4 2008.09.16 W32/Heuristic-VFM!Eldorado
BitDefender 7.2 2008.09.16 MemScan:Trojan.Spy.Delf.NQT
CAT-QuickHeal 9.50 2008.09.16 (Suspicious) - DNAScan
F-Prot 4.4.4.56 2008.09.16 W32/Heuristic-VFM!Eldorado
Ikarus T3.1.1.34.0 2008.09.16 BehavesLike.Win32.Malware



thoughts?

[justy]

wow...thank you for posting this tomron!

[tomron]

@justy

If anyone is interested they can subscribe for e-mail notifications.

@Moderator_

Are you seeking thoughts on the subject itself.

[Moderator_]

@Moderator_

Are you seeking thoughts on the subject itself.

Actually, when I said "Thoughts?" at the end of my previous post--I was asking that to all the members, not just you.

But if you have thoughts on the matter, post them up.

[tomron]

@Moderator_

Actually, when I said "Thoughts?" at the end of my previous post--I was asking that to all the members, not just you.

I figured that,I just got confused when you said "source" then provided a link cause I didn't get this from the link that you provided.
I got this from CNET,and also I've been getting e-mail notifications from SANS for years.

[Moderator_]

I just got confused when you said "source" then provided a link cause I didn't get this from the link that you provided.

The link I provided is the source for what I posted. Because when we post things from other websites (copy and paste) we provide a source for it as proper etiquette. Nice thread, tomron.

[tomron]

@Moderator_

The link I provided is the source for what I posted. Because when we post things from other websites (copy and paste) we provide a source for it as proper etiquette. Nice thread, tomron.

Understood and thanx.