FedEx notification #85645

You might have read my previous blog post:

[SPAM] United Parcel Service notification #82929

This time it's FedEx to be the subject of a new and highly active spam campaign.

I received different emails, all containing a notification I can find more information about my package in attachment. The subject of one of these mails was "FedEx notification #85645"

They all have a different tracking number behind the #, but the content is always the exact same thing:

Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you. © FedEx 1995-2011

In all of these spam emails, you will find an attachment, which can be called either

FedEx letter.zip, FedEx notice.zip or document.zip.

Document.exe attached to email

Just like the case for the UPS spam campaign, again an Adobe Acrobat icon to trick you. In fact this "Document" file is not a PDF file, but an executable which can infect your computer.

Document.exe

Result: 15/43 (34.9%)

MD5: 09410950dd80df3083ae87cf839643e2

VirusTotal

ThreatExpert

FedEx notice.exe

Result: 31/43 (72.1%)

MD5: 5fe59b88e60f000c7e437518cc6a6cfe

VirusTotal

ThreatExpert

So far the subject of this FedEx may differ from these 3:

FedEx notification #[random number]
FedEx Reminder – Invoice [random number]
FedEx ticket #[random number]

Conclusion

You should never trust an email which has:

- only a URL included in the message

- an attachment that you need to open to view 'information'

- crappy spelling and grammar if there is content in the message

- been sent out to everyone in the sender's address book

- been sent from an unknown sender

- promises you can buy something for a very cheap price

- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, but delete it immediately without opening it.

If you have (unintentionally) downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virus scanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Windows Live Phishing

This morning I received an email claiming that the database and email account center for Windows Live would be upgraded. They need to delete all unused account and to make sure that yours won't be deleted, you have to notify the Windows Live team.

Email subject: Account Alert!!

Windows Live Team Alert Confirmation

You need to reply with your User name, Password, Date of Birth and Country or Territory. In reality this is a typical phishing campaign for retrieving your login details.

In the last 2 paragraphs it also states:

"YOUR DETAILS WILL NOT BE SHARED"

-> this is to comfort you so you know that your credentials are safe

and

"Warning!!! Account owner that fails to verify his/her account after two weeks of receiving this warning will lose his or her account permanently."

-> This is your typical scare tactic; if you don't do as instructed, your email account will be deleted.

Conclusion

In reality, Windows Live will not send you any emails instructing you to send your password to them so they can verify it is still active. Also, they won't delete your account without a valid reason.

Never reply to these kinds of messages, delete the email and you're good to go.

Facebook rogue applications still lurking around

Recently I made a post on Malware Disasters about rogue applications on Facebook.

Here's a small excerpt:

For quite some time now there are rogue applications trying to convince you that you are able to check whoever viewed your profile. There are a lot of different names for this rogue application, some but not all include:

• creep exterminators
• catch them being creepy
• creepy profile peekers
• privacy bros
• we catch stalkers
  
  
  

Profile Creeps application

You can read the full article here:
http://malwaredisasters.blogspot.com/2011/02/facebook-rogue-applications-still.html

Conclusion

Conclusion is quite simple: never trust an application on Facebook that promises things that look too good to be true. When things look too good to be true, they probably are ;) .

Always be careful when allowing applications access to your data and/or wall.

United Parcel Service notification #82929

Today I received an email with the subject "United Parcel Service notification #82929"

Apparently my order was sent to my home address and now they are sending me an email with additional information. How kind of them :) .

You can supposedly find more information in attachment

The text is mostly the same, here's a small variant:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

There is a file attached called "USPS_Document.zip" Other variants may be: "UPS_Document.zip", "UPS.zip", "UPS-tracking.zip", and so on. In the ZIP archive you will find a file called UPS_Document:

UPS_Document.exe

What stands out here is that the file is no PDF file, as you might think, but is in fact a malicious executable.

UPS_Document.exe

Result: 38/41 (92.7%)

MD5: 047bcd79fa681442b37bdf9b56c2257f

VirusTotal

ThreatExpert

Anubis

UPS.exe

Result: 17/43 (39.5%)

MD5: a668f20228e37a12bc033f5e2c014007
VirusTotal
ThreatExpert

Other subjects of this email might be:

- United Parcel Service notification #[random number]
- UPS Delivery Problem #[random number]
- UPS notification #[random number]
- United Parcel Service
- Post Express Service. Track your parcel! NR[random number]
- Post Express Information. You need to get a parcel NR [random number]
- UPS ticket #[random number]

Conclusion

You should never trust an email which has:

- only a URL included in the message

- an attachment that you need to open to view 'information'

- crappy spelling and grammar if there is content in the message

- been sent out to everyone in the sender's address book

- been sent from an unknown sender

- promises you can buy something for a very cheap price

- No subject or strange subjects ( eg.: "0 enjoy yourself" )

Never reply to this kind of email, simply delete it and don't look back ;) .

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Additionally, if you have executed the file, and believe you are infected, you can follow this guide to remove the malware:
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial

Feel free to add any comments if you have any problems or questions.

"m28sx" worm: back in business ?

You might remember my previous post about a new Twitter worm called "m28sx" that spreads a fake antivirus (aka rogueware) called Security Shield:

Twitter worm spreading virally

Today I got an email with the subject "HELLoo" and only a link in it. The link ended with m28sx.html.

Different redirects starting at the compromised website

There are 3 redirects before you eventually land on the fake scanner page:

Messagebox alerting you of infections on your system

Fake scan message showing numerous infections

The following file is dropped:

pack.exe

Result: 7/43 (16.3%)

MD5: b7fcca77d20fb5ac43792ad56f6fc75e

VirusTotal

ThreatExpert

Anubis

The payload is a rogueware called 'Security Shield'.

When executing the dropped file (pack.exe) :

A warning that Security Shield was installed successfully

Security Shield rogueware finding (non-existant) infections

Conclusion

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL. In this case, a website was compromised and the "m28sx.html" was placed. Actually, be careful with ANY URL ;) .

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

As an extra note: this one might re-surface again on Twitter, so be on the lookout these days for links that end with "m28sx".