UPS_Invoice.exe trojan received by email
July 14, 2008 37 Comments
This lunchtime I received an email as follows:
From: United Parcel Service [someone@not_ups.com]
Subject: UPS Paket N2410170593
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office
Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.
So I saved the file and had a quick peek with notepad to avoid opening the zip file at all. I could see enough of the content to see that the content of the zip was a single executable called UPS_invoice.exe rather than any kind of document file. Next step – a quick search online to see what particular flavour of nastiness this was. Fire up search engine, search for “UPS_invoice trojan”, “UPS invoice trojan” and other variations. Absolutely nothing at all. No-one else seems to have received this. Very strange indeed. I had a look on Sophos’ website and McAfee’s virus information library but could not find anything resembling this.
I wondered if I had somehow been ‘lucky’ enough to be one of the first to be sent a new malware variant, so I submitted a sample to Sophos.
I checked again later in the day and now I got a single hit for a site discussing this new menace, a blog at the Berlin Technische Universität focussing on hoax information had this post: UPS-Mails mit Malware. So, I was not alone, but it was still odd that no-one else reported this.
Of course, zip files can be opened natively on XP with no additional software, and a zip can be compressed in such a way that it will automatically open or run a file once it has decompressed the zip. This means that simply double-clicking the file could cause the payload to run, and attempt to install and do its damage.
Five hours after submitting my sample, Sophos kindly confirmed that the file did contain malware, identified by them as Troj/Agent-HFU. Coincidentally, the last email to arrive before I received this was another version of the same thing, with an English subject of “UPS Tracking Number 8017161622” and the attachment was called UPS_Inoice_107.zip this time (yes, that’s “inoice” with no V). So maybe the first one was actually a German variant sent to me – not too farfetched given that I receive plenty of spam in German, usually pump-and-dump stock scams, so I must be on someone’s spam lists.
Still no information about UPS_Invoice.exe
However, there was still no mention of the email subject or payload name. Web searches still found only the TU Berlin article – was this just because the search providers have an inevitable timelag, or something else? I had a read of the Sophos advisory about this and found that they simply don’t mention UPS at all. Nothing. I know back when I wrote my review of Sophos Small Business Edition they used to be pretty good at describing the symptoms of a malware variant so you had some chance of identifying threats. Now the description says only that this trojan affects Windows, and that protection has been available for Sophos customers since 13 July 2008 19:44:42 (GMT). Pretty useless, so I thought I would check if anyone else had any more helpful information by searching for the name “Troj/Agent-HFU” and “Trojan Agent HFU”. The only results were sites which either syndicated Sophos information directly or wrote about new releases and quoted the source. So the blogosphere echoed with the same information I could get from Sophos but nothing else.
What’s in a name?
So, does this mean that Sophos are the only vendor out there offering to spot this new threat with an updated signature? I very much doubt it, I suspect this is just a manifestation of the usual problem of confusion over virus names. When a biologist finds a new species of beetle (or indeed a real-life virus) they get to name it anything they like. They can stick to a conventional Linnaean classification, or name it after their maternal grandmother, a character from Star Trek, or simply a new rude-sounding word. But once they have decided upon a name, everyone else has to use the same one. OK, there are cases where a second person does not realise that their find is not actually new, and they use their own chosen name for a while, but once it is determined that two creatures are in fact just individuals from the same species, the earlier name is used.
Not so for computer viruses. For years I have found it annoying and frustrating that the antivirus vendors seem to enjoy choosing different names for the same malware and then sticking doggedly to them. At least they used to cross-reference each other’s versions to some extent, but now it seems they are deliberately keeping to their own petty conventions. Why not adopt a universal scheme of letters and numbers within which any vendor can take the next one off the list and attach it to an identified executable? If astronomers can do this for the billions of stars and other objects found in outer space, why not for something as specific and tangible as a few dozen lines of code? Even the minor variants introduced by viruses when copying themselves in order to defeat the most primitive signature-based scanners are easily stripped away, and the core program and its behaviour can be identified. Maybe I’m being over-simplistic or optimistic about the levels of cooperation possible between large corporations which answer to their shareholders. Any insiders care to share any information about the practicality or otherwise of such a name-sharing scheme?
PS: A third email with subject “UPS Tracking Number 6360851232” and an attachment name correctly spelled as UPS_Invoice_107.zip arrived while I was writing this.
It just seems odd how no-one seems to be talking about these with reference to the subject or attachment names. Since it is totally obvious they are not really from UPS, what’s the issue? Has anyone else been receiving many of these?