UPS Tracking Number # Virus warning! (UPDATED!)

Update: Upon our submission of this threat to Microsoft, they have confirmed that this threat is classified as the new variant of TrojanDownloader:Win32/Bredolab.AC. (check the rest of the article for more information)

I've received several suspicious e-mails in the last couple of days, so I've decided to check the contents of the attached .zip file and without a surprise, there was an .exe file in it.

What is not good, is the fact that neither Microsoft Security Essentials antivirus nor Eset Nod32 wasn't able to detect it once I've scanned the file.

At least Microsoft Outlook mail scanner marked this mail as spam. So I wasn't entirely unprotected :)

The bogus message subject is something like this:

Subject: UPS Tracking Number 8279775.

Sender: UPS Manager Ramona Mock (This email address is being protected from spambots. You need JavaScript enabled to view it.)

Here's the subject of the mail:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service.
The attachment actually contains a virus which may infect the user's computer.

When I googled for more information on this virus, I've found out that similar virus was released almost 2 years ago, so apparently this is a new variant of it, as AV scanners were unsuccessful in detecting the threat. So far I've tried to detect the threat using 'only' Microsoft Security Essentials and Nod32 antivirus.

Here is the warning about UPS virus which was released about 18 months ago.

The newest virus circulating is the UPS/Fed Ex Delivery Failure. You will receive an email from UPS/Fed Ex Service along with a packet number.. It will say that they were unable to deliver a package sent to you on such-and-such a date. It then asks you to print out the invoice copy attached. DON'T TRY TO PRINT THIS. IT LAUNCHES THE VIRUS! Pass this warning on to all your PC operators at work and home. This virus has caused Millions of dollars in damage in the past few days.

I can't be sure of what damage it can cause to your computer, but I guess it is variant of UPS trojan virus and I can only advise you upon receiving similar mail, to immediately delete it.

Update: I have submitted suspicious file to the Microsoft Malware Protection Center (MMPC). I will update this article, as soon as I get more info on this.

Update #2: I received a reply from Microsoft and they confirmed this threat this threat is classified as TrojanDownloader:Win32/Bredolab.AC. A downloader trojan accesses remote websites in an attempt to download and install malicious or potentially unwanted software.

According to Microsoft, this Trojan variant was discovered on Dec16, 2009, but this appears to be a new variant which is the reason why it wasn't discovered by Anti-Virus scanners.

Important NOTE: Upon my submission of this threat to Microsoft, they have updated virus definitions as seen below:

Detection last updated:
Definition: 1.71.2267.0
Released: Jan 15, 2010 

BUT, have in mind that if you're using Microsoft Security Essentials, virus definitions might not be updated automatically. I adivise you to open the Microsoft Security Essentials, select the 'update' tab and click on the 'Update' button. You will now be protected.

Here is the screenshot of successful detection of this new threat

Anyway, let's get on what this Trojan actually does on your PC.

System changes

The following system changes may indicate the presence of this malware:
The presence of the following files:
<system folder>\digeste.dll
<system folder>\digiwet.dll
<system folder>\mcenspc.dll
<system folder>\msansspc.dll
%startup%\asgupd32.exe
%startup%\dfqupd32.exe
%startup%\dmaupd32.exe
%startup%\fmnupd32.exe
%startup%\ihaupd32.exe
%startup%\imiupd32.exe
%startup%\legupd32.exe
%startup%\ppqupd32.exe
%startup%\rqjupd32.exe
%startup%\ikowin32.exe
%startup%\wbhwin32.exe
%startup%\hcgwin32.exe
%startup%\fqosys32.exe
%startup%\lecsys32.exe
%startup%\necsys32.exe
%startup%\rncsys32.exe
%startup%\ysfsys32.exe
%startup%\zqosys32.exe
<system folder>\wbem\grpconv.exe
%appdata%\wiaserva.log

The presence of the following registry modifications:
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Sets value: "SecurityProviders"
With data: "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"

Technical Information (Analysis)
Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host.
Installation

Win32/Bredolab has changed its method of installation over time. When older variants of Win32/Bredolab are executed, they copy themselves to one of the following locations, converting their EXE to a DLL:
 
<system folder>\digeste.dll
<system folder>\digiwet.dll
<system folder>\mcenspc.dll
<system folder>\msansspc.dll
 
The registry is then modified to ensure that the DLL is loaded. For example:
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Sets value: "SecurityProviders"
With data: "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll"
 
More recent variants of Win32/Bredolab copy themselves to the %startup% folder using one of the following variable filenames:
 
asgupd32.exe
dfqupd32.exe
dmaupd32.exe
fmnupd32.exe
ihaupd32.exe
imiupd32.exe
legupd32.exe
ppqupd32.exe
rqjupd32.exe
ikowin32.exe
wbhwin32.exe
hcgwin32.exe
fqosys32.exe
lecsys32.exe
necsys32.exe
rncsys32.exe
ysfsys32.exe
zqosys32.exe

 
Or they may use the following location:
 
<system folder>\wbem\grpconv.exe

Payload

Downloads and executes arbitrary files
Win32/Bredolab contacts a remote host, and receives a response from the master server that contains at least one encrypted binary. Downloaded binaries are decrypted and executed.
 
Win32/Bredolab may use a randomly named file name for downloaded binaries on the local machine. Binaries may be saved to the following location:
 
%windir%\Temp\wpv[numbers].exe
 
In the wild, Win32/Bredolab has been observed to contact the following control servers:
58.65.235.41
78.109.29.116
78.109.29.112
91.207.61.12
213.155.4.82
dollarpoint.ru
imoviemax.ru
mudstrang.ru
vanni-van.cn
gssmedia.cn
www.qoeirq.com
 
The following list details just a small selection of the malware known to be downloaded by variants of Win32/Bredolab:
Win32/Ambler
Win32/Boaxxe
Win32/Busky
Win32/Cbeplay
Win32/Cutwail
Win32/Daurso
Win32/FakeRean
Win32/FakeSpypro
Win32/Haxdoor
Win32/Hiloti
Win32/Insnot
Win32/Koobface
Win32/Momibot
Win32/Oderoor
Win32/Oficla
Win32/Otlard
Win32/Rlsloup
Win32/Rustock
Win32/Sinowal
Win32/Tedroo
Win32/Ursnif
Win32/Vundo
Win32/Waledac
Win32/Wantvi
Win32/Winwebsec
Win32/Wopla
Win32/Zbot

Additional Information

Some variants of Win32/Bredolab may create the following file during execution:
%appdata%\wiaserva.log

You can also get more information on Microsoft Security Portal.

PrintEmail