Jul22
3:11 am (UTC-7)   |   by Macky Cruz (Technical Communications)

A few hours ago (22 July 2008, 03:41 a.m. PST), our EMEA threat analysts were able to catch the following UPS spam samples from our honeypots. Apparently, the spam run we saw last week (discussed in the blog entry Trojans Deliver) is just beginning to pick up.

Here are fresh new UPS spam:

Banking perhaps on a previous observation from the earlier UPS post:

The B2C (business-to-consumer) parcel industry is set to be the next big thing in Europe, says market research company Datamonitor, according to M2 Presswire in this report. European users, especially those who routinely have purchases delivered to them, should be extra careful when receiving communications from their parcel delivery company of choice. At most it is recommended to challenge such messages when they have different format (in content, sender address, attachment type) as the original ones. It might be best to prefer tracking deliveries online or by phone.

Fortunately, the Trend Micro Smart Protection Network already detects these files as TSPY_ZBOT.PF. As we write this, more samples are being seen.

Updates as of 22 July 2008

TSPY_ZBOT.PF downloads an encrypted configuration file from a remote site. The said file contains banking-related URLs which the spyware monitors in Internet browser address bars. When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes. Gathered data is then saved in a file, then sent to a remote site through HTTP post. The URLs listed in the downloaded configuration file may change at any time.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Tuesday, July 22nd, 2008 at 3:11 am and is filed under Malware, Spam . Responses are closed, but you can trackback from your own site.



4 Responses to “UPS Spam: Trojan Courier of Choice”

  1. Be Aware of UPS Virus E-Mail - Trojan - NECO Forums Says:
    July 23rd, 2008 at 7:11 am

    [...] through HTTP post. The URLs listed in the downloaded configuration file may change at any time.” UPS Spam: Trojan Courier of Choice | TrendLabs | Malware Blog – by Trend Micro If you get an e-mail that appears to come from UPS regarding a package that wasn’t delivered, just [...]

  2. Paulie’s Technical Memoirs » Blog Archive » Malware/Virus delivered through fake e-mail from UPS Says:
    July 24th, 2008 at 2:26 pm

    [...] more information about the detail of the actual email can be found on the Trend Malware Blog.  The worrying thing about this e-mail is that both of the machines that it infected have [...]

  3. Virus warning. A real one Says:
    August 19th, 2008 at 11:08 am

    [...] Originally Posted by maccecht No not one of those silly ones this one is actually real. You get an email allegedly from UPS telling you the package you posted needs to be collected as the address you sent it to is not known. There is a receipt attached as an attachment. If you open it it does really nasty things to your computer. Trust me this is true don’t ask how I know needless to say I am £150 lighter to get it sorted. So folks watchout for it. The IT bod who sorted things out for us says it is a particularly nasty one and is still doing the rounds. UPS Spam: Trojan Courier of Choice [...]

  4. Spam mail with attachments of more spam!! « MSBasic Virus Blog Says:
    September 7th, 2008 at 6:10 am

    [...] seen invoice spam runs related to UPS, FedEx, and of course, German-language Rechnung spam receipts. Now, this new invoice spam claims to [...]


Major DNS Cache-Poisoning Vulnerability: Patch Now
A Worrying Trend of Compromised Web Sites


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 

 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice