UPS_Invoice email trojan variant claims to be from Customs Service

In the last hour I found in my inbox a variation on the UPS_Invoice trojans of last week. This new email claimed to be from “Customs Service” with the subject “Customs – We have received a parcel for you” and the following text:

Good afternoon,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,

Rolland Hanna

Your Customs Service

This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.

My parents were on holiday in France on July 9th (back home now) so this might just possibly have caught me out if I had not seen the previous variant and the wording was a bit less stilted (especially the signoff), and the sender had actually been spoofed as the customs service not some random .com company. I guess the people most likely to fall for this would be anyone who bought something online from France, or through eBay and maybe they are not 100% sure where their purchase is being shipped from.

This time the attachment was called Tax_Invoice.zip which expanded directly to the executable (no folders in between this time) which was called Tax_Invoice_________________________NHHDLS883298792929.exe . I guess the filename padding is a flimsy attempt to make the end part disappear from the view and show as the truncated name “Tax_Invoice_…” or similar. Like the previous ones, this has a crude MS Word icon which has rough edges and simply does not scale above “medium icons” view in Vista – any larger and it just shows the smaller one in a larger grey box.

This one has an MD5 hash of 8CEB0F61089D86C086DCC08D6A783015.

Since the first rash of these emails last week, things died down. Presumably as the world’s antivirus vendors caught up with this new malware outbreak, they were mainly being caught at the point of sending. I certainly received none for several days, then had two on Monday night / Tuesday morning with the same text as before:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

(one bizarrely missed the apostrophe from “recipient’s” and replaced it with a space)

Both had the same attachment UPS_INVOICE_978172.zip (47.9 KB or 49,110 bytes in size), which expanded to a 56KB (57,344 bytes) exe of the same name with MD5 checksum DA4B7EF93C588AD799F1A1C5AFB6CFAD.

Thursday’s pair were just called invoice_8712.zip (48 KB or 49,192 bytes) which held a 55.5 KB (56,832 bytes) file called INVOICE_8712.exe with MD5 digest of 9E2756F0A0AD988E149845B07216B181. All of this week’s emails had the subject “UPS Tracking Number nnn” with four different numbers: 1950761581, 8587187457, 7535113385, and 6853701924.

About ukcrmguru
I'm an MVP for Dynamics CRM, consultant, Microsoft Certified Trainer and self-confessed geek. I also lead the UK CRM User group when I'm not too busy with all that.

18 Responses to UPS_Invoice email trojan variant claims to be from Customs Service

  1. Rdv says:

    Does this extract to any particular place under windows?

  2. Adam Vero says:

    Doesn’t seem to if you open it directly from the email. As with any attachment, it gets saved to a temporary location under your profile then opened from there, so that’s where it expands, and the zip is set to autorun the contained exe file.

    Incidentally, I have received a second one, this time supposedly sent by a Mr. Elton Herron of the Customs Service. The attachment is identical, no variation seen yet.

  3. Rdv says:

    I’ve received a number today, all from different spoofed addresses. The latest was as below, but had Tax_invoice.zip as the attachment:

    Good afternoon,

    We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

    Kind regards,
    Emile Crawford
    Your Customs Service

  4. Paul says:

    I received one of these today:

    “Dear Sirs,
    We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.
    Kind regards,
    Staci Lovett
    US Customs Service”

    The attachment was also called ‘Tax_invoice.zip (21.0KB)’, which expanded to 29KB. The .exe file had the same name as the one in the first post.

    I knew it was a fake as soon as I saw ‘US Customs’. I’m in the UK, so why would a package from France, to the UK, go via the US?

    I know some people in France, so had the sender not changed the ‘Your Customs Service’ (as stated in posts above), to ‘US Customs service’, I could possibly have fallen for it. Obviously not once I’d seen that it opened into an .exe file though!

    I even have a UK email address! Idiots!

  5. Pingback: Virus Threat - Customs Service - Rancho Murieta, CA Forums

  6. Joseph says:

    Hi All.,

    I recieved this virus also today, the funny thing was that my Yahoo anti-virus security was not able to identify it as a virus ?? very strange, it is the first time it failed, Acording to my Yahoo page it uses Norten anti-virus for it’s protection, so maybe this virus is so new it has not been flagged yet,

    I’ll bet by end of today Yahoo will update there virus scan programs and this will be caught in it’s net.

    Best Regards Joseph

  7. catarina says:

    Also received the same thing. I receive packages from France from time to time, since I am doing my PhD there.

    Here’s what I received:

    “Dear Sirs,

    We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

    Kind regards,
    Graciela Simmons
    Your Customs Service”
    Attached: Bill_tax.zip

    Also didn’t open it, of course.

  8. Mike says:

    Hi guys, Some of my users got this email today and a couple were dumb enough to click the attachment.

    We have Symantec which once updated takes care of the file now. Has anyone had any success with the other crap that gets dropped when a user is stupid enough to launch the virus?

    Is there a remover or shoud symantec take care of this as well.

    Thanks,
    Mike

  9. Robert says:

    I just now updated my McAfee anti-virus and scanned it, and it still doesn’t recognise Tax_Invoice____….exe as malware. Not impressive. Fortunately, our environment blocks the running of any unauthorised software using software restriction policies.
    Thanks for the info.

  10. Harry says:

    AVG detects it as “Trojan horse Pakes_c.RX” but I can’t find any more information.

  11. Paul says:

    This arrived to one of my users as the French customs package, with Bill_Tax.zip as attachment. Virustotal.com shows decent coverage, but Mcafee doesn’t detect even with current definition files.

    Virustotal results:
    Antivirus Version Last Update Result
    AhnLab-V3 2008.7.25.1 2008.07.25 –
    AntiVir 7.8.1.12 2008.07.25 –
    Authentium 5.1.0.4 2008.07.24 W32/Downldr2.DBPY
    Avast 4.8.1195.0 2008.07.25 –
    AVG 8.0.0.130 2008.07.25 –
    BitDefender 7.2 2008.07.25 Trojan.Spy.Wsnpoem.EK
    CAT-QuickHeal 9.50 2008.07.24 –
    ClamAV 0.93.1 2008.07.25 Trojan.Zbot-1713
    DrWeb 4.44.0.09170 2008.07.25 Trojan.Proxy.3731
    eSafe 7.0.17.0 2008.07.24 Suspicious File
    eTrust-Vet 31.6.5981 2008.07.25 –
    Ewido 4.0 2008.07.25 –
    F-Prot 4.4.4.56 2008.07.24 –
    F-Secure 7.60.13501.0 2008.07.25 Trojan-Spy.Win32.Zbot.dkx
    Fortinet 3.14.0.0 2008.07.25 –
    GData 2.0.7306.1023 2008.07.25 Trojan-Spy.Win32.Zbot.dkx
    Ikarus T3.1.1.34.0 2008.07.25 –
    Kaspersky 7.0.0.125 2008.07.25 Trojan-Spy.Win32.Zbot.dkx
    McAfee 5346 2008.07.24 –
    Microsoft 1.3704 2008.07.24 –
    NOD32v2 3298 2008.07.25 –
    Norman 5.80.02 2008.07.24 –
    Panda 9.0.0.4 2008.07.25 –
    PCTools 4.4.2.0 2008.07.24 –
    Prevx1 V2 2008.07.25 –
    Rising 20.54.42.00 2008.07.25 –
    Sophos 4.31.0 2008.07.25 Mal/Spy-A
    Sunbelt 3.1.1536.1 2008.07.18 –
    Symantec 10 2008.07.25 Backdoor.Paproxy
    TheHacker 6.2.96.389 2008.07.25 –
    TrendMicro 8.700.0.1004 2008.07.25 –
    VBA32 3.12.8.1 2008.07.24 suspected of Malware-Cryptor.Win32.General.2
    ViRobot 2008.7.25.1310 2008.07.25 –
    VirusBuster 4.5.11.0 2008.07.24 –
    Webwasher-Gateway 6.6.2 2008.07.25 –

    Additional information
    File size: 68096 bytes
    MD5…: 3f4fa8fa60369c31a9ce18790e0c3ccd
    SHA1..: 49d395d59baf40499bcbfa91bf4db02fd64a2c5b
    SHA256: abcffbb0c5cc52f3f68209c0a3afc5e092a96ea9d80f68642f23f01fbdcff7e1
    SHA512: 05048600882216adffeeff009b753fe51da001b3cedb44dc477f4a3b9092a5ea
    53b1ec87288551e0e57701bd8c8702599db31511878f97d7286ff296bd8b9335
    PEiD..: –
    PEInfo: –
    packers (F-Prot): rtf

  12. Ed says:

    I happened to just have gone through US customs the same day as I received the email. Figures.

    Once I finally deleted the virus, all of my computer icons as well as my start menu disappeared, and I still cannot get them back. If anyone has any information on how to recover my computer, please tell me.

  13. scott says:

    Look up info on the ntos.exe virus, disable system restore, remove it, delete files and directory System32/wnspoem/*

    run spybot to find registry entries and remove those. This is a start if you had the registry change enabled.

  14. Andrew says:

    I have to confess I was one of the people who fell for this. Please spare a thought for us before you call us ‘idiots’. I am normally very careful not to open such attachments, but this really caught me off guard: I live in the UK and have ordered a cd box set from the marketplace at amazon.fr on 7 July, which means it is shipped from the US, and it is close to the 18GBP mark at which one must pay import duty. A lapse when you read your mail and it could so easily happen. I have had the stuff removed from my machine in the meantime, though.

  15. stevec says:

    I fell for it, too. I run websites for a living, and I usually know a virus when I see one. But I also receive around 2000 emails a day, about 70 of which come from UPS. So, I scan and open quickly. Stupid, no. Hasty, maybe.

    I thought I had wiped this thing clean using Avast, but now my PC has started sending the “Customs Service” email. I took it offline, of course. Now looking for a fix. Any ideas?

  16. Dave says:

    The Travel Industry is being hit with a similiar trojan…”trojan horse Pakes_c.SE”. And, of course, I can’t find anythinf either. Looking thry Google is where I found this site. The sender sends the trojan in a zipped file named eTicket# and a ticket #. As soon as you unzip it you find the exe sitting there, which is a dead giveaway that something is terribly wrong. I hope you all have good defenses. My avg also picked it up during this morning’s scan. Good luck to ya’all.

  17. Adam Vero says:

    Dave
    You are right, there seems to be a bunch of variations now about flight tickets, as I commented on in the original UPS thread here.
    I have now had several of these, the wording does seem to vary more than the earlier types, I have them from Fletcher Ferguson of JetBlue Airways; Trevor Naquin, United Airlines; and Harris Rosas, Midwest Airlines.
    The subject line of the first one seemed to have been left incomplete by the spammer, it came through as “Your order from {airlines} N5909431”. Others have quoted different e-ticket numbers (4310190530, 4709645411) but the attachments bear no relation to these at all (E-ticket_7399294.zip, eticket#1721.zip twice). Also the ‘password’ provided in each email was passABCD where ABCD were 4 seemingly random letters.

  18. David Minter says:

    I also received pakes_c.se trojan horse in email attachment file eTicket#1721.zip. fortunately avg email scanner intercepted the attachment and deleted it. was not going to open the email anyway but did check my credit cards just in case someone had actually been able to put entry to my account.

%d bloggers like this: