Posts Tagged ‘Your_UPS_f857.exe’

Just found this one this morning. A phishing email arrived on a user’s machine claiming to be from UPS. The email didn’t even look official. It was all in plain text too. The message in the email is copied below and the supposed date given that the parcel was undeliverable always differs.

Subject: UPS Delivery Problem NR.9618


Unfortunately we failed to deliver the package which was sent on the 24th of June in time because the recipient’s address is wrong.

Please print out the invoice copy attached and collect the package at our office.

United Parcel Service.

Interesting thing was this. Saved the attachment to the C: drive with it still inside the zip folder. Then scanned the .zip folder with AVG and AVG reported no viruses found.

On the other hand, it could have been a program with non malicious code to the system, which still sent off details and is only malicious in principle rather than code. Only an idea because I didn’t open it….! 😛

This was an official warning released on the UPS website:

Attention Virus Warning
Service Update

We have become aware there is a fraudulent email being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.

This email attachment contains a virus. We recommend that you do not open the attachment, but delete the email immediately.

UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact

Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.

Thank you for your attention.

The attachment contains malware, detected as Trj/Agent.JEN by Internet Security company PandaLabs, that can replace an important file on Windows computers and then download other malware to the infected computer. PandaLabs notes:

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

Apparently, the reported sender is now coming from DHL.