UPS-Themed E-mails Deliver... Malware

By Matthew Hines  |  Posted 2008-07-16 Print this article Print

Malware distributors have moved to a new vehicle (think big brown vans) for delivering their wares, tapping into the popularity of overnight giant UPS' e-mail delivery notifications in an attempt to lure users into taking their bait.

Security researchers including those working for AV provider Panda Security highlighted the UPS-themed spam/malware attacks on Tuesday, reporting the appearance of fake notification e-mails that actually contain the Agent.JEN Trojan attack.

With knock-off subject lines such as "UPS packet N3621583925" that mimic Big Brown's ubiquitous delivery status reports (or at least they are for anyone like myself who is addicted to eBay and e-commerce in general) the messages contain a fake invoice attachment in the form of a zip file that contains the threat, which is disguised as a Microsoft Word document.

"The malicious code copies itself to the system, replacing the Userinit.exe file in the Windows operating system," Panda reported in an advisory. "This file runs the Internet Explorer browser, the system interface and other essential processes. For the computer to continue working properly and in order to avoid raising suspicion of the infection, the Trojan copies the system file to another location under the name userini.exe."

The invoice-themed attacks are merely the latest attempt by malware gangs to find a new angle that might suck-in unsuspecting users, who might conceivably be lulled into trusting the messages since they have not been used in such a manner in the past, and since UPS is a well-established commodity, said Panda experts.

"All of this effort not to be noticed is in consonance with the current malware dynamic," Luis Corrons, technical director of PandaLabs, said in a statement. "Cyber-crooks are no longer interested in fame or notoriety; they are out to get financial returns as silently as possible."

Panda also highlighted the fact that the Agent.JEN Trojan connects to a Russian domain that has been used previously by other bank credential-stealing malware, and that it subsequently sends a request to a German domain where it downloads a root kit and an adware program identified by PandaLabs as Rootkit/Agent.JEP and Adware/AntivirusXP2008, respectively.

"We had seen cyber-crooks use erotic pictures, Christmas or romantic cards, and fake movie trailers as bait to make users run infected files," observed Corrons. "However, it is not usual to see baits like this one. This clearly indicates that cyber-crooks are trying to use baits that do not raise suspicion to spread their creations."

UPS also warned its customers of the threat.

"We have become aware there is a fraudulent e-mail being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered," the company said in its own advisory. "The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up. This email attachment contains a virus. We recommend that you do not open the attachment, but delete the e-mail immediately."

UPS also went the extra step of highlighting the fact that while may send official notification messages occasionally, the notices rarely include attachments.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel