Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that inform the recipient about the arrival of a United Parcel Service (UPS) shipment. The message instructs the recipient to follow URLs to view details, such as a tracking number and invoice. However, the URLs are obfuscated and, when followed, redirect the recipient to a malicious .scr file. If executed, the file will attempt to infect the recipient's system with malicious code.
E-mail messages that are related to this threat (RuleID3135, RuleID3164, RuleID3170, RuleID3241, RuleID3250, RuleID3304, RuleID3314, RuleID3315, RuleID3316, RuleID3316KVR, and RuleID3170KVR) may contain any of the following files:
shipping_invoice.scr
invoice.scr
invoice.JPG.scr
invoice851.JPG.exe
invoice319.JPG.exe
invoice4281.JPG.exe
invoice6285.JPG.exe
receipt.exe
invoice.exe
shipping_invoice.exe
The shipping_invoice.scr file has a file size of 154,112 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xE603EB1AC2691790E09409DB20E4EADA
The invoice.scr file has a file size of 35,328 bytes. The MD5 checksum is the following string: 0x3AD7F7B2BC019BAB75912C9FB548AA50
The invoice.JPG.scr file has a file size of 147,505 bytes. The MD5 checksum is the following string: 0xBFE818CBAECAC59B5C892E77F7C185F8
A variant of the invoice.JPG.scr file has a file size of 143,872 bytes. The MD5 checksum is the following string: 0x27451F2012FEDB6EF30041C97533B9AD
The invoice851.JPG.exe file has a file size of 158,208 bytes. The MD5 checksum is the following string: 0xE2F69CA7A04F6EFB79F3BB9C4C428A89
The invoice319.JPG.exe file has a file size of 116,255 bytes. The MD5 checksum is the following string: 0xA643C20409555D617F6B6C48430FA887
The invoice4281.JPG.exe file has a file size of 144,896 bytes. The MD5 checksum is the following string: 0xF0D40BA4FE0A42F3B87E4352ED47FDF2
The invoice6285.JPG.exe file has a file size of 124,928 bytes. The MD5 checksum is the following string: 0x163392439DA9D3F128B6875CB492EE40
The invoice.exe file has a file size of 221,696 bytes. The MD5 checksum is the following string: 0xE2A60DE8BF5ADCB6A23DBB1CBF898325
A variant of the invoice.scr file has a file size of 143,360 bytes. The MD5 checksum is the following string: 0xAD1C7B41BBA7BD22CBD157E459C6130E
The receipt.exe file has a file size of 19,456 bytes. The MD5 checksum is the following string: 0x1CFB7096B6D2FA8AAA8B723CAADC36CF
A variant of the invoice.exe file has a file size of 19,456 bytes. The MD5 checksum is the following string: 0x261FA786DA3C1644FC0930DA89F6E0DC
A third variant of the invoice.exe file has a file size of 18,944 bytes. The MD5 checksum is the following string: 0x5CF1C859C5E53CDEDB843FA59BD1E642
The shipping_invoice.exe file has a file size of 19,456 bytes. The MD5 checksum is the following string: 0xC3BC30F65E1240C1E7F263FE7A98C437
A fourth variant of the invoice.exe file has a file size of 19,456 bytes. The MD5 checksum is the following string: 0x9EDC2C86553FC899A1429663D03D9D3A
Another variant of the invoice6285.JPG.exe file has a file size of 171,008 bytes. The MD5 checksum is the following string: 0x34CB532E595570561376289EA9986DC9
A fifth variant of the invoice.exe file has a file size of 41,472 bytes. The MD5 checksum is the following string: 0x2F5A11A63D942D3F2B7A042711F9CC84
A sixth variant of the invoice.exe file has a file size of 19,456 bytes. The MD5 checksum is the following string: 0x47457AD8E754D7D6145F88037B3137B4
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Your package has arrived
Message Body:
Dear client
Your package has arrived.
The tracking is : 1Z45AR990283797554 and can be used at :
hxxp://www.ups.com/tracking/tracking.html
The shipping invoice can be downloaded from :
hxxp://www.ups.com/tracking/invoices/download.aspx?tracking=1Z45AR990283797554
Thank you,
United Parcel Service
The malware associated with this threat belongs to the TibsPk-A family. This trojan could modify the system registry and install additional malware by communicating with arbitrary hosts on the Internet.
Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.
Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks. Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.
Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
