UPS_Invoice email trojan variant claims to be from Customs Service
July 24, 2008 18 Comments
In the last hour I found in my inbox a variation on the UPS_Invoice trojans of last week. This new email claimed to be from “Customs Service” with the subject “Customs – We have received a parcel for you” and the following text:
We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.
Your Customs Service
This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.
My parents were on holiday in France on July 9th (back home now) so this might just possibly have caught me out if I had not seen the previous variant and the wording was a bit less stilted (especially the signoff), and the sender had actually been spoofed as the customs service not some random .com company. I guess the people most likely to fall for this would be anyone who bought something online from France, or through eBay and maybe they are not 100% sure where their purchase is being shipped from.
This time the attachment was called Tax_Invoice.zip which expanded directly to the executable (no folders in between this time) which was called Tax_Invoice_________________________NHHDLS883298792929.exe . I guess the filename padding is a flimsy attempt to make the end part disappear from the view and show as the truncated name “Tax_Invoice_…” or similar. Like the previous ones, this has a crude MS Word icon which has rough edges and simply does not scale above “medium icons” view in Vista – any larger and it just shows the smaller one in a larger grey box.
This one has an MD5 hash of 8CEB0F61089D86C086DCC08D6A783015.
Since the first rash of these emails last week, things died down. Presumably as the world’s antivirus vendors caught up with this new malware outbreak, they were mainly being caught at the point of sending. I certainly received none for several days, then had two on Monday night / Tuesday morning with the same text as before:
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office
(one bizarrely missed the apostrophe from “recipient’s” and replaced it with a space)
Both had the same attachment UPS_INVOICE_978172.zip (47.9 KB or 49,110 bytes in size), which expanded to a 56KB (57,344 bytes) exe of the same name with MD5 checksum DA4B7EF93C588AD799F1A1C5AFB6CFAD.
Thursday’s pair were just called invoice_8712.zip (48 KB or 49,192 bytes) which held a 55.5 KB (56,832 bytes) file called INVOICE_8712.exe with MD5 digest of 9E2756F0A0AD988E149845B07216B181. All of this week’s emails had the subject “UPS Tracking Number nnn” with four different numbers: 1950761581, 8587187457, 7535113385, and 6853701924.