UPS_Invoice.exe trojan received by email

This lunchtime I received an email as follows:

From: United Parcel Service [someone@not_ups.com]

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_Invoice_317.zip

Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.

So I saved the file and had a quick peek with notepad to avoid opening the zip file at all. I could see enough of the content to see that the content of the zip was a single executable called UPS_invoice.exe rather than any kind of document file. Next step – a quick search online to see what particular flavour of nastiness this was. Fire up search engine, search for “UPS_invoice trojan”, “UPS invoice trojan” and other variations. Absolutely nothing at all. No-one else seems to have received this. Very strange indeed. I had a look on Sophos’ website and McAfee’s virus information library but could not find anything resembling this.

I wondered if I had somehow been ‘lucky’ enough to be one of the first to be sent a new malware variant, so I submitted a sample to Sophos.

I checked again later in the day and now I got a single hit for a site discussing this new menace, a blog at the Berlin Technische Universität focussing on hoax information had this post: UPS-Mails mit Malware. So, I was not alone, but it was still odd that no-one else reported this.

Of course, zip files can be opened natively on XP with no additional software, and a zip can be compressed in such a way that it will automatically open or run a file once it has decompressed the zip. This means that simply double-clicking the file could cause the payload to run, and attempt to install and do its damage.

Five hours after submitting my sample, Sophos kindly confirmed that the file did contain malware, identified by them as Troj/Agent-HFU. Coincidentally, the last email to arrive before I received this was another version of the same thing, with an English subject of “UPS Tracking Number 8017161622” and the attachment was called UPS_Inoice_107.zip this time (yes, that’s “inoice” with no V). So maybe the first one was actually a German variant sent to me – not too farfetched given that I receive plenty of spam in German, usually pump-and-dump stock scams, so I must be on someone’s spam lists.

Still no information about UPS_Invoice.exe

However, there was still no mention of the email subject or payload name. Web searches still found only the TU Berlin article – was this just because the search providers have an inevitable timelag, or something else? I had a read of the Sophos advisory about this and found that they simply don’t mention UPS at all. Nothing. I know back when I wrote my review of Sophos Small Business Edition they used to be pretty good at describing the symptoms of a malware variant so you had some chance of identifying threats. Now the description says only that this trojan affects Windows, and that protection has been available for Sophos customers since 13 July 2008 19:44:42 (GMT). Pretty useless, so I thought I would check if anyone else had any more helpful information by searching for the name “Troj/Agent-HFU” and “Trojan Agent HFU”. The only results were sites which either syndicated Sophos information directly or wrote about new releases and quoted the source. So the blogosphere echoed with the same information I could get from Sophos but nothing else.

What’s in a name?

So, does this mean that Sophos are the only vendor out there offering to spot this new threat with an updated signature? I very much doubt it, I suspect this is just a manifestation of the usual problem of confusion over virus names. When a biologist finds a new species of beetle (or indeed a real-life virus) they get to name it anything they like. They can stick to a conventional Linnaean classification, or name it after their maternal grandmother, a character from Star Trek, or simply a new rude-sounding word. But once they have decided upon a name, everyone else has to use the same one. OK, there are cases where a second person does not realise that their find is not actually new, and they use their own chosen name for a while, but once it is determined that two creatures are in fact just individuals from the same species, the earlier name is used.

Not so for computer viruses. For years I have found it annoying and frustrating that the antivirus vendors seem to enjoy choosing different names for the same malware and then sticking doggedly to them. At least they used to cross-reference each other’s versions to some extent, but now it seems they are deliberately keeping to their own petty conventions. Why not adopt a universal scheme of letters and numbers within which any vendor can take the next one off the list and attach it to an identified executable? If astronomers can do this for the billions of stars and other objects found in outer space, why not for something as specific and tangible as a few dozen lines of code? Even the minor variants introduced by viruses when copying themselves in order to defeat the most primitive signature-based scanners are easily stripped away, and the core program and its behaviour can be identified. Maybe I’m being over-simplistic or optimistic about the levels of cooperation possible between large corporations which answer to their shareholders. Any insiders care to share any information about the practicality or otherwise of such a name-sharing scheme?

PS: A third email with subject “UPS Tracking Number 6360851232” and an attachment name correctly spelled as UPS_Invoice_107.zip arrived while I was writing this.

It just seems odd how no-one seems to be talking about these with reference to the subject or attachment names. Since it is totally obvious they are not really from UPS, what’s the issue? Has anyone else been receiving many of these?

About ukcrmguru
I'm an MVP for Dynamics CRM, consultant, Microsoft Certified Trainer and self-confessed geek. I also lead the UK CRM User group when I'm not too busy with all that.

37 Responses to UPS_Invoice.exe trojan received by email

  1. Adam Vero says:

    OK, so a few people now seem to be writing about this.
    Donna Buenaventura is a MVP for Consumer Security and wrote about this UPS email malware on her blog here:

    The guys and girls of DSLReports forums have also been discussing this trojan here, and have compiled a list of names this malware is called by various AV vendors, although many of them are generic.

  2. Fiddler51 says:

    I just got this: UPS_INVOICE_317>zip.
    Thanks for the heads up, I’ll remove it.
    Peace

  3. M@ says:

    Just received UPS_INOICE_107.zip; but it was empty. If our AV blocks something we normally get an attachment warning of this; but the file was just empty… Weird!

    My subject header was – “UPS Tracking Number 2073475990”

    Thanks for bringing this to light

    m@

  4. martin says:

    We have several of these arrived on our office systems yesterday…

  5. Andy says:

    I’ve just got UPS_Inoice_107.zip
    Very suprised that there ar not many hits on google for it.
    Andy

  6. Michael says:

    Just received 3 emails from qjcc@borderexpress.com.au regarding this.

    Will be interested to know what it does to your machine!?!

  7. Mick says:

    I’m glad I was suspicious of this one-but have had to do quite a bit of searching. Having downloaded some malware disguised as a codec earlier on this year (which was not spottted by antivirus software) and seriously living to regret it, it’s reassuring that forums like this continue to be alert. Cheers

  8. Adam Vero says:

    I had another at 42 minutes past midnight, again this was UPS_invoice_107.zip and subject had tracking number 7595441852, so it seems the subject line is varying a lot more than the attachment name.
    All of mine have claimed to be from different email addresses. Either they are the infected parties and are sending this out, but much more likely this is simply a spoofed from address so that any “you sent me a virus” reports from people or automated AV filter systems will go to the wrong place and not help in identifying and cleaning up.

  9. webescape says:

    How dodgy, anything like this, the usual banking ones etc just get deleted straight away anyway, but thankyou.
    http://webescape.wordpress.com/

  10. Pingback: Follow up post about UPS_Invoice trojan « Getting IT Right

  11. Mike says:

    About 18 of my employees got this in their mail last night (GMT), passing through two AV scanners in the process.

    Only now does one of them catch it and the other (McAfee) is still unaware of the problem and my DATs are up to date! Poor showing on McAfee here

    • welonaranee says:

      I find a lot of badly infected systems “protected” by McAfee these days. I just don’t think they are as good as they once were. Same thing happened with Norton, although I have read they are doing better of late. After doing a lot of testing, the only one I am happy with these days is Bit Defender, but who knows which one will be the “good” one in a few months. I was using Kapersky, but they are now my second choice after BD.

  12. Giovanni says:

    I’ve received the mail, and I’ve opened it, becouse I was waiting a packet from the States (I live in Italy) shipped at the end of June.

    It seems to me that trojan install a sort of antivirus called microsoft xp antivirus 2008 that spoybot obliterated in a moment. that’s my experience, hope to be uiseful, bye all!
    Giovanni.

  13. Steven says:

    Why does MS Forefront not pick this up ? We have moved from sophos which I’m pretty sure would of identified this, but nothing from Forefront ?

  14. Adam Vero says:

    Giovanni
    Thanks for the info. It seems that this XP2008 or XP AntiVirus 2008 payload is not contained in the actual zip file or its executable, but is downloaded separately by the malware, hence the description of this trojan as an Agent or a Downloader.
    I would suggest that you should check that you do not still have the actual virus on your system, even though you have successfully killed off one of the things it downloaded.
    If you need help, the SFDC Malware Adware Removal Team (SMART) at Security-Forums.com should be able to help out.

    Steven
    I can’t comment on Forefront specifically as I am not using it. In general though, all AV products have a built in flaw if they work by maintaining a list of all bad things. Not only is there an inherent time lag getting these lists updated on your machine, but identifying every variation of a piece of malware specifically is also hard. As I wrote in my follow up post, I received three different versions of just this one outbreak – how many others are out there?
    Note also that I did not catch this with an antivirus program, I was not infected simply because I did not open the attachment directly, but first saved it and had a poke around with Notepad. As I discuss in my post Using anti-virus software to keep the elephants away, I don’t run any antivirus on my main systems.
    I do feel sorry for people like Giovanni who get caught out because the email seems relevant at the time they receive it. A client of mine received an email confirming a change of password about two minutes after going through the “I forgot my password” process on a government website they needed to use urgently. Of course, it turned out to be malware arriving at a coincidental time, but the fact that they were running as a normal user with no admin privileges prevented any harm being done in that instance. A lucky escape.

  15. Levi Davila says:

    I would have just deleted it…

  16. Adam Vero says:

    Levi – me too if I had found lots of references to it but since no-one else had started publishing any details about it at that point I was intrigued. Deleting it is certainly the best way to avoid infection though.

  17. Claire Vian says:

    I am just a simple member of the public with limited knowledge of viruses etc. but I also received a fake UPS email on 14th July.

    I was immediately suspicious at the contents, address, wording, etc as they were a little strange and I was not expecting any parcels anyway. I tried to find any info about this on the internet, but is the first substantial piece of information I have found – so thank you.

    Obviously I did not open the attachment, and have now deleted the email – but just by opening it have I unwittingly allowed the virus to infect my computer?
    Thanks

  18. Adam Vero says:

    Claire
    As long as you have not opened this attachment you will be fine. That is usually the case with email-borne viruses, but not absolutely always.

    For example, there are some worms which can infect a machine by getting Outlook to run them automatically when an email is opened or even previewed in the reading pane. This relies on weaknesses in the application, and as far as I know current versions which are patched are OK, it is only those who have older versions without the latest security patches or service packs from Windows update / Office update which are vulnerable to this type of attack. Of course, a new vulnerability might be found to cause the same thing, so you should always be vigilant.

  19. Anita says:

    McAfee finally has something out there. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132901 Noticed my installation of McAfee’s Groupshield was finally filtering this puppy, and that helped me locate the info on their site. Still, a sickeningly slow response. I guess I’m back to blocking ZIP files, again.

  20. Adam Vero says:

    Blocking zip files may not be such a bad idea, or at the very least treating them with higher suspicion than most other attachments.
    Some filters will detect file types based on their characteristics or contents, regardless of their extension, so they treat any compressed file as a “zip” file regardless of whether it has a .zip on the end or not. I have not seen any problems myself, but you may want to make sure you don’t end up blocking the new Office 2007 document files, since these are compressed exactly like zip files, so an over-zealous filter might block them on principle.

    Many good enterprise firewalls and email filtering applications will look inside zip files for malicious content, even in a zip inside a zip inside a zip (etc), but as always this relies on up to date virus signatures, which as we have seen are sometimes a little slow in coming through.

  21. Armen says:

    One of my clients received this email, the owner of the company…so he forwarded it to the accountant and office admin to investigate the “UPS” invoice…DOH…Admin opened it and her PC was ripped apart by at least 10 different Virus/Malware/Trojans…Majority of XP Services were disabled, PC was turned into a SPAM zombie…their ISP started receiving numerous complaints of MASS SPAM originating from their network…What a mess…anyone with any resolutions, please post to my inquiry on Experts-Exchange.

    http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Symantec/Q_23571648.html#a22022745

    Thank you,

  22. Armen says:

    it started on Monday and slowly killed the system…VirusRescue boot disks find nothing. Keyboard now disables once the XP GUI loads…reformat time. Same in safe mode.

    See my post above for the infections.

  23. fortressjc says:

    The following are some things I used to fix this virus. I don’t know if the filenames are the same for everybody, but use these as guidelines. Please use the following suggestions at your own risk! As always,
    be sure to make a backup before attempting anything.

    1) Remove pphc7fhj0e90j.exe, blphc7fhj0390j.scr, pphc7fhj0e90j.bmp, lphc7fhj0e90j.exe from C:\Windows\system32
    2) Remove folder C:\Program Files\rhc3fhj0e90j
    3) Remove .tmp files in C:\Windows\Temp
    4) Remove userini.exe from C:\Windows\system32
    5) Remove gko04.sys from C:\Windows\system32\drivers
    6) In regedit, search and remove entries pertaining to pphc7fhj0e90j, blphc7fhj0390j, lphc7fhj0e90j, gko04

    I hope this helps.

  24. SidC says:

    I just got this email, and *had* sent several things via UPS in the last few months. It did look bogus, though, so I googled it before opening it – thanks for the writeup.

  25. Nitish Anand says:

    We have been receiving these infected emails for last 1 week and Sophos is picking them all up as Trojan. These malware containes fake parcel information.

    regards,
    Nitish.

  26. Art says:

    I just received this false ups mail. Since I had sent something, i opened it just a second before I realized that it was an exe. I have not noticed anything yet. Can someone tell me how to spot the symthoms.
    Any automatic cure already?

  27. Jeff says:

    I ran the exe file on a test laptop, and it installed a trojan called win32.agent.pz which will install a spyware application that will place a little red “X” in your toolbar telling you your computer is infected with spyware… wierd, it IS the spyware.

    anyways, get the fix here:

    COMBOFIX

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    or:
    http://www.forospyware.com/sUBs/ComboFix.exe

    YOU MUST RENAME THE FILE FOR IT TO RUN! The spyware will attempt to delete it if not.

  28. Pingback: UPS_Invoice email trojan variant claims to be from Customs Service « Adam Vero at Getting IT Right

  29. zeke says:

    I opened the UPS email in gmail and downloaded the attachment to my computer but never unzipped it and promptly deleted it. Is there any chance my computer could be infected. I’m on Windows XP.

  30. Riddhi says:

    Hello guys,

    This UPS email is really on wild for last couple of days. the UPS_Invoice attachment install couple trozans and downloaded on your system and then the downloaded downloads more trozans. the first thing happens when you click on the attachment is it install a rootkit into kernel and hide itself from WIndows API and it disables your antivirus as soon as it is executed.

    I work for SYmantec and so far there is 400 variants for this threat.

    as it disabled the antivirus at the fist go it then downloads some known and unknown trozans which willnot be detected as the antivirus is non-functional already.

  31. Claire Vian says:

    Thanks for your reassuring reply last week, Adam. As far as I know my computer is not infected and for several days following first message (on 14th July) I did not receive any more of the UPS fake emails.

    However in the last 5 days I have received several (up to 6) each day – some as before; from “UPS” and others from Customs, and just in the last two days pretending to be from Continental Airlines re e-tickets (no I had not ordered any tickets). They all have attachments, but I have just deleted them without even reading the message.

    Interestingly there still seems to be very little info on the web generally about this problem.

    Is there anywhere, other than this site, where this information could be available to everyone?

  32. Adam Vero says:

    Claire
    Glad my humble blog could be of some help.
    I’ve also had a version masqerading as some bogus e-tickets, mine claimed to be from Midwest Airlines with whom I have never travelled. Text was as follows:

    Hello, Thank you for using our new service “Buy flight ticket Online” on our website.
    Your account has been created:
    Your login: Info
    Your password: passSJZK
    Your credit card has been charged for $438.88.
    We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket.
    To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

    Kind regards,
    Harris Rosas
    Midwest Airlines

    As with the Customs Tax Bill variant, the similarity of the wording was a bit of a red flag, but the approach here is slightly different. By telling people some money has been charged to their credit card it makes people worry they have been a victim of identity theft, or at the very least their card details have been stolen and used. This is more likely to trigger them to see what is in the invoice, hoping to identify who has done this.
    The executable in the attached E-ticket_N7399294.zip seems to be another ZBot variant (or whatever name is popular for it this week).

    In theory many of the main antivirus vendors do host such information – Network Associates Inc has a Virus Information Library at vil.nai.com, but that was a few days behind, along with everyone else, it seems. I would always suggest checking the site of the company you use for your antivirus software, whether online or installed software, free or paid for. That way you get an idea not just what the threat is, but whether your chosen solution is protecting you yet.

  33. Jim watson says:

    I just got one of these today , but spamfilter had filtered it out.

  34. Sachin Naik says:

    well now is 2010 and this webpage is 1 year old
    I received 4 such emails this year

    first was from “tracking.support@ups.com”
    second and third were from “service@ups.com”
    fourth from “shipping@dhl.com”

    subjects were same for the first 3 mails i.e. UPS Manager (with some varying names)
    but for the fourth one it was, DHL Manager (with a name)

    and the mail body contained the following for all 4 mails

    Hello!

    The courier company was not able to deliver your parcel by your address.
    Cause: Error in shipping address.

    You may pickup the parcel at our post office personaly!

    Please attention!
    The shipping label is attached to this e-mail.
    Please print this label to get this package at our post office.

    Please do not reply to this e-mail, it is an unmonitored mailbox.

    Thank you.
    United Parcel Service.

    happy to see my AVG Free has detected the threat in the email itself with the following certification

    Viruses found in the attached files.
    The file UPS_invoice _Nr34678.zip: Virus found FakeAlert. The attachment was moved to the Virus Vault.

    but i wonder why avg did not detect the first 2 emails, why it detected only the third and fourth email, when all 4 emails were same
    and one more thing i updated my avg after i received the first 2 mails, so is it because of the update it detected the 3rd and the 4th mail, but the virus is 1 year old

  35. drvanski says:

    Thanks for blogging this virus. Received my ‘UPS Invoice’ today and deleted it.

%d bloggers like this: