Recently one of my email address has been constantly receiving emails from DHL system, Post Express notification, Post Express Information, United Parcel Service and Post Express Parcel. I started receiving those emails on 9th March and still getting it today. Before we go on any further, please be noted that all those emails are FAKE and containing attachment which are malware that installs fake anti-spyware software on your computer, trying to convince you that your computer has tons of infection and get you to pay them money to register the software. To be honest, I nearly fell for the trick in running the attachment because so coincidentally I was expecting a package from DHL and have signed up for email notification… From:
United Parcel Service Notification Letter.zip
United Parcel Service document.zip
Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below.
Dear Customer. Email notification No.4185840. Your package has been returned to the Post Express office. The reason of the return is “Error in the delivery address”. Important message! Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the Post Express office in order to receive the packages! Thank you for your attention. Post Express Service.
Dear customer. The parcel was sent your home address. And it will arrive within 3 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc.
I ran all of the attachments on my test computer and found a lot of interesting things happening.
– The executable attachment melts and spits out a document.doc file showing details of delivery parcels
– Secretly download and install Win 7 Anti-Spyware 2011 OR Win 7 Anti-Virus 2011 and shows a fake Action Center. Tries to convince you that your computer has viruses so you’ll enter your credit card details on the software to register it.
– When run Task Manager, a fake Microsoft Security Essentials Alert window opens. If click the Scan Online button, computer restarts and runs CleanThis, World’s leading security solution. There is no way to get back in Windows even in Safe Mode because CleanThis runs automatically before explorer and disabling Windows Task Manager (CTRL+Shift+Esc). The only way to clean this up is by using Antivirus Rescue Disk, preferably Avira or Kaspersky.
– Connections being made secretly to Yahoo SMTP, AOL SMTP, Gmail SMTP, GMX SMTP, Ukraine IP, UK IP.
The older attachments are already detected by most antivirus but as for the latest one which I’ve just received, only 18 out of 41 antivirus detects it as trojan. Some of the famous antivirus brand such as Avast, AVG, Comodo, Panda and F-Secure missed it. I believe the person who created this is not going to stop any time soon because I can see that every newer version has improved infection logic and typing errors (typo) corrected. Antivirus is not going to fully protect your computer if you’re one of the earlier person to receive the newer version of malware. You can either immediately delete the email or simply submit the sample to antivirus computer. Most antivirus has a built-in feature to directly upload the suspicious file to the analyst.