Repeat email attachments from UPS and Fedex

[la33]

I know these are fake because these two outfits don't communicate
directly with you about deliveries. The seller does. Also, when
telling Yahoo to show full headers, you can see that there are at
least a dozen other recipients listed.

Needless to say, I have never fallen for this nonsense.

I started getting these about 2 weeks ago. Anyone else receiving
them? Does anyone one know exactly what malware/virus is in the
attachment?

 

[Nick]

I started getting these about 2 weeks ago. Anyone else receiving
them? Does anyone one know exactly what malware/virus is in the
attachment?

Only two weeks? I've been getting those regularly for at least months, if
not years. Don't really remember when they started; they just blend into
the generic spam barrage.

No idea what's in the attachments: it all just gets deleted.

--
Nick <mailto:[email protected]>

Nick's First Law of Computer Virus Complaints:

Just because your computer is acting strangely or one of your programs
doesn't work right, this does NOT mean that your computer has a virus.

 

[Nick]

Aaaargh.... Forgot this until after I hit send.

I know these are fake because these two outfits don't communicate
directly with you about deliveries. The seller does.

Actually, if you create an account on the UPS site you can receive E-mail
tracking updates directly from them. You'll probably find similar services
at some other shipping companies.

Tried this with UPS a long time ago, but decided it wasn't worth the bother.

 

[(PeteCresswell)]

Per Nick:

Only two weeks? I've been getting those regularly for at least months, if
not years. Don't really remember when they started; they just blend into
the generic spam barrage.

No idea what's in the attachments: it all just gets deleted.

+1

 

[David H. Lipman]

I know these are fake because these two outfits don't communicate
directly with you about deliveries. The seller does. Also, when
telling Yahoo to show full headers, you can see that there are at
least a dozen other recipients listed.

Needless to say, I have never fallen for this nonsense.

I started getting these about 2 weeks ago. Anyone else receiving
them? Does anyone one know exactly what malware/virus is in the
attachment?

If it is like the "FedEx Document.exe" that I examined this AM, it was a rogue anti
malware installer and was a trojan.

 

[jack4]

(e-mail address removed) wrote in

Just had one yesterday. This gal found one supposedly from UPS in her Yahoo
SPAM folder. She was expecting a package from UPS so she opened it. She
said there were two attachments and one of them was a document. When she
said "document" I'm not sure if it was a *.doc attachment or just how she
determined it was a document. Anyway, when she opened it, she got nailed
with the "Windows 7 Recovery" malware.

I messed with it half the night and never did manage to get all her start
menu items back. I had already copied all her documents and pictures off
onto an external drive, so I just restored it back to factory. That's
getting to be a hassle too anymore. A Service Pack to put back plus all the
updates, etc.

Short answer: Windows 7 Recovery

You/her needs a recovery disk imaging program such as Acronis True
Image, Macrium Reflect, or one of the others that are out there.
Through the years, Acronis has saved my butt by allowing me to recall
a saved disk image instead of going through the hassle you had to go
through.

 

[jack4]

(e-mail address removed) wrote in

Just had one yesterday. This gal found one supposedly from UPS in her Yahoo
SPAM folder. She was expecting a package from UPS so she opened it. She
said there were two attachments and one of them was a document. When she
said "document" I'm not sure if it was a *.doc attachment or just how she
determined it was a document. Anyway, when she opened it, she got nailed
with the "Windows 7 Recovery" malware.

I messed with it half the night and never did manage to get all her start
menu items back. I had already copied all her documents and pictures off
onto an external drive, so I just restored it back to factory. That's
getting to be a hassle too anymore. A Service Pack to put back plus all the
updates, etc.

Short answer: Windows 7 Recovery

Thanks for the answer. I was just curious.

Here is a link which supposedly tells how to get rid of that virus.

http://remove-malwares.blogspot.com/2011/05/uninstall-guide-for-windows-7-recovery.html

Here is the Google search URL for more.

http://www.google.com/#hl=en&sugexp...gc.r_pw.&fp=905e9081899b75b1&biw=1440&bih=710

 

[David H. Lipman]

Thanks for the answer. I was just curious.

Here is a link which supposedly tells how to get rid of that virus.

http://remove-malwares.blogspot.com/2011/05/uninstall-guide-for-windows-7-recovery.html

Here is the Google search URL for more.

http://www.google.com/#hl=en&sugexp...gc.r_pw.&fp=905e9081899b75b1&biw=1440&bih=710

"Windows 7 Recovery" is malware but it is NOT a virus.

 

[RayLopez99]

I know these are fake because these two outfits don't communicate
directly with you about deliveries.  The seller does.  Also, when
telling Yahoo to show full headers, you can see that there are at
least a dozen other recipients listed.

Needless to say, I have never fallen for this nonsense.

I started getting these about 2 weeks ago.  Anyone else receiving
them?  Does anyone one know exactly what malware/virus is in the
attachment?

I got one the other day supposedly from UPS--the tracking number was
too short and clearly fake. The Trojan was in a Zip file and
Microsoft Security Essentials caught it.

Don't know why there seems to be a push out to infect people.

RL

 

[FromTheRafters]

I got one the other day supposedly from UPS--the tracking number was
too short and clearly fake. The Trojan was in a Zip file and
Microsoft Security Essentials caught it.

Don't know why there seems to be a push out to infect people.

RL

It's probably yet another Fake-AV (scareware/rogue security) trojan.
It looks to me like they are expanding on their delivery methods.

 

[RayLopez99]

It's probably yet another Fake-AV (scareware/rogue security) trojan.
It looks to me like they are expanding on their delivery methods.

So are you saying that people put out fake trojans, that trigger AV
programs but really don't harm your PC? Not that I'm going to find
out (I simply delete them), but that's a new idea. What would be the
purpose of these fake trojans (if they exist) other than perhaps
scaring people? Or is that the purpose?

RL

 

[FromTheRafters]

So are you saying that people put out fake trojans, that trigger AV
programs but really don't harm your PC?

No, there is a type of scareware that pretends to be a security program
(like a firewall, antimalware, antispyware, or antivirus) and most of
the ones I have seen pretend to be AV software that has found all sorts
or viruses and malware on your machine.

So, I'm just guessing that it is one of those.

It's not a virus or a worm, so it needs some way to get distributed. One
such way is to get a url spammed out that will lead the adventurous to
malware infestation. Other ways are by SEO poisoning or by redirects or
malvertizements.

Not that I'm going to find
out (I simply delete them), but that's a new idea. What would be the
purpose of these fake trojans (if they exist) other than perhaps
scaring people? Or is that the purpose?

Usually I encounter them by way of a script that makes a small browser
window that looks like a messagebox. Clicking on the red X is the same
as clicking the OK button and the script then runs a show for the user
to convince them that a scanner is finding all kinds of malware. Once
the user is offered a "Remove All" button (if you build it, they will
push) the script initiates a download (the trojan). When it is run, it
gives another show and expects the user to part with money in order to
fix the "problem".

The scripts themselves are sometimes heavily obfuscated, but can be
obtained from the browser's temp files (along with other related files).

 

[FromTheRafters]

It is in the Rogue family.

Are these in competition with each other for marketshare, or are they
cooperating?

 

[David H. Lipman]

Are these in competition with each other for marketshare, or are they cooperating?

It looks like competition. The malicious actors keep rolling them out and so they have
moved in some ways away from ant malware and security to now optimization of the OS and
hard disk problems.

 

[Dustin]

It's probably yet another Fake-AV (scareware/rogue security) trojan.
It looks to me like they are expanding on their delivery methods.

Nope. It's a downloader. [g]

 

[RayLopez99]

No, there is a type of scareware that pretends to be a security program
(like a firewall, antimalware, antispyware, or antivirus) and most of
the ones I have seen pretend to be AV software that has found all sorts
or viruses and malware on your machine.

So, I'm just guessing that it is one of those.

It's not a virus or a worm, so it needs some way to get distributed. One
such way is to get a url spammed out that will lead the adventurous to
malware infestation. Other ways are by SEO poisoning or by redirects or
malvertizements.


Usually I encounter them by way of a script that makes a small browser
window that looks like a messagebox. Clicking on the red X is the same
as clicking the OK button and the script then runs a show for the user
to convince them that a scanner is finding all kinds of malware. Once
the user is offered a "Remove All" button (if you build it, they will
push) the script initiates a download (the trojan). When it is run, it
gives another show and expects the user to part with money in order to
fix the "problem".

The scripts themselves are sometimes heavily obfuscated, but can be
obtained from the browser's temp files (along with other related files).

OK thanks for that detailed response. I've seen this and know what
you are talking about.

BTW I like the feature in Chrome and Firefox of deleting your temp
files when you flush your browser cache--IE (latest version) still has
a problem doing this 100% it seems (always has) since for example if
you sign up in Live.com or Hotmail after flushing the cache in IE your
name still appears as logged on (persistent).

I don't like 'temp' files as you say, and in the past have deleted
stuff that looks temp, though I've stopped doing that since some
installation programs store the CDs or DVDs virtually in a sort of
temp folder for future use (though I use Daemon Lite now to install
all programs that are on DVD)

RL

 

[FromTheRafters]

It's probably yet another Fake-AV (scareware/rogue security) trojan.
It looks to me like they are expanding on their delivery methods.

Nope. It's a downloader. [g]

Found one of those (I think) the other day, a packed exe with Java
..class files in a Bingo folder.