UPS virus emails getting through spam filters

[bytebuster]

For the first time, one of the "UPS" virus bearing emails got through Comcast's spam filter to my email box. It says, "Dear customer, Your package was sent your home address. And it will arrive in 7 business day." It was pretty crude, it didn't even have a fake UPS logo. The file attached was a ".rar" file, what is that, some kind of scripting? I just trashed it. If you get a whole bunch of these viruses all of a sudden (and I have no idea what this is, nor do I care to find out) know that virus bearing emails are getting through Comcast spam filters, if your customers have Comcast. Comcast's spam filters are getting increasingly inadequate, I keep getting strange emails with links to outside websites.

[ATTech]

Quote:

Originally Posted by bytebuster

The file attached was a ".rar" file, what is that, some kind of scripting?

You've really never encountered a .rar file?

[Painless]

I've played with one of these email attachments. When you unzipped the file you reach what looks like a pdf. If you turn on 'show file extensions ' you will see an 'exe' file which disappears when you click on it. Shortly after that you will be the victim of the 'System Tools 2010' scareware.

When I unzipped the rar file Avast blocked the process - that was before I tried to run the 'pdf'. I like Avast.

Us a VM or quarantined machine.

[Steve202]

I'm having tons of these atm and its starting to get annoying.

I might grab one of the emails and let it infect a vm just to see what it does.

[Ccomp5950]

Have a customer that is the director of advertising for a local radio station bring a printed copy of the email in today. He didn't open it at work but when he got home curiosity got the better of him.

[sys-eng]

Quote:

Originally Posted by Painless

When I unzipped the rar file Avast blocked the process - that was before I tried to run the 'pdf'. I like Avast.

Us a VM or quarantined machine.

That is good to hear that Avast catches it eventually. I did not have time to test it like that. I received the message too through AT&T/Yahoo account. Scanned attachment with both Avast and Malwarebytes but was not detected. Submitted to VirusTotal where it was pegged by 22 of 42 security programs. Avast was NOT one of them. I went to Avast website to submit it but they have no option for that. You can submitted a false positive but not a false negative.

[Painless]

I got another from UPS yesterday and Avast identified it as soon as the e-mail came down into Outlook.

As I said I like Avast.

[Cadishead Computers]

I'm getting sick and tired of these UPS emails. I must be getting at least 3 a day!.

Oh and the latest is one from 'facebook'.

"Dear Customer.

A Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.


Please do not reply to this email, it's automatic mail notification!


Thank you for attention.
Your Facebook!"

Just for kicks I unrar'd this one, and immediately MSSE found it, and comes up with "VirTool:win32/injector.gen!BB" Marked as severe, with a description of this program is used to create viruses, worms or other malware.
With yet another rar file. I think I may have to blog about this one, and warn my clients..

[glricht]

For the last month or so, the rogue security software scene has been pretty quiet. However, I've gotten four in the last three days, so the bad guys must be ramping things up a bit.

And two of the infections came from the UPS email! (Unfortunately, both of these users were actually waiting on a UPS package delivery, so clicked on the email without hesitation ... oops!)

[Steve202]

Looks like the UPS emails have stopped and now they've moved on the DHL. Had a load this morning and throughout the day.