We've had a few customers fall prey to a "UPS virus" lately. The virus code has been out for a few months now, but the fake UPS e-mail wrapper is new. The victim will receive an e-mail something like this:
From: United Parcel Service [some spoofed return e-mail address]
Sent:
To:
Subject: UPS Tracking Number 4126976729
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your UPS
There's an attached zip file that will launch a virus if clicked.
I have not yet figured out why or how, but both AVG and Symantec only seem to partially detect and clean the virus. It's a relatively harmless virus, as I have not seen it re-sending itself or anything like that. It does produce some phony Windows XP Security errors (red X in the Taskbar, with a message about being infected and "click here to fix"). Following the link leads to a phony virus removal application for sale.
We've seen at least two variations of the virus. Here are a couple of Symantec posts on the variations, with cleaning instructions: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-051910-0118-99&tabid=3
http://www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=1
No comments:
Post a Comment