Beware e-mail messages from UPS

I have a lot of e-mail addresses and thus attract my fair share of unwanted and malicious e-mail. The latest malware spreading e-mail to land in my in-boxes has purported to be from the package delivery company UPS. Thursday, I received two of these, but there have been other similar messages recently.

As you can see in the picture below, it came with an attached ZIP file.

A malicious email that was not from the UPS package delivery company

ZIP files are commonly used as a container to transmit malicious software. The number in the name of the ZIP file is probably there to evade detection by antivirus software; the numbers were different in the two messages received Thursday.

The ZIP file contained a single EXE called UPSInvoice_997612.exe. I uploaded the file to VirusTotal.com, where 4 of the 36 antivirus applications detected it as malicious.

As I've noted before: never decide to trust an e-mail message based on the sender. It is very easy to forge the "From" address when sending e-mail.

And, hopefully by now it should go without saying, Windows users should never run an executable file sent by e-mail. Mac and Linux users (including the many new Netbook Linux users) can ignore this warning.

See a summary of all my Defensive Computing postings.

[hawkeyeaz1]

"Mac and Linux users (including the many new Netbook Linux users) can ignore this warning." But, but but it is our job to ensure viruses get spread to everyone! It is our civic duty, and Wine is almost good enough to succeed now!

http://www.linux.com/articles/42031

[Kev_Orng]

You're on the ball; I had to tell everyone in my company not to open this one 4 months ago.

Then it morphed and we've been receiving the same malware with different scare messages attached ever since.

So, it would be better to publish a weekly article reminding people not to open zip files from unknown sources.

In fact, everything I know about virus avoidance can be summed up with what I learned in kindergarten: don't talk to, get in a car with, or take candy from strangers. And buy a Mac. I didn't learn that last bit in kindergarten, though, I learned it in college.

[tacit]

Unfortunately, it does little good to tell people not to open attachments from "unknown sources." People sincerely believe they know what the source is. It says From: UPS Support (or, in another varient I've seen, From: FedEx, or From: the ISP of the user), and folks think that means it actually comes from the place it says it comes from.

So if you tell an average computer user not to open attachments from unknown sources, he'll say "Oh, I can pen this attachment! I know who it's from!"

Better, I think, is to tell users not to open attachments of any sort, no matter who they seem to be from, if the attachment contains any kind of executable. Even if the executable claims to be a greeting card or an invoice or a movie of some pop star's breasts.

[techman21]

Only 4 of 36 anti-virus programs detected it?!?! Which 4?

[mhinnewyork]

I wouldn't read too much into which 4 products caught this particular malware instance. My experience has been that the detection rate, in general, at virustotal.com is fairly low. It could be that every time I test it, its with an email message I just recieved and it takes time for "patterns" to get into any antivirus program.

That said, you can see the scan results here
http://www.virustotal.com/analisis/92a642dffc42a4a674ff1efdfbf65fc9
Michael Horowitz

[Louise_V]

Great post. i hadn't seen this one. @tacit makes a great point - the average internet user believes he knows who the sender is and that is the root of the problem on the user side.
Opening no attachments of any sort is good advice but may not always work because people DO receive legit attachments.

Louise