"DHL Services" Scam E-mail with Oficla Malware Attachment

Scammers are once again trying to trick innocent victims into opening an attachment containing malware. I first told you about fake DHL e-mails containing evil attachments in October 2009, a similar scam claiming to be from UPS a year ago, and within the past month I've reported on two more malware-laden scam e-mails claiming to be from UPS/USPS and FedEx.

My regular readers know the drill by now.  DHL and other shipping companies won't send you attachments containing information, tracking numbers, or shipping/mailing labels. If you get an e-mail claiming to be from such a company that invites you to download an attachment, delete the e-mail; it's a fake, and its attachment could harm your computer. So far these attachments have all been Windows malware, so if you're a Mac user, you're more likely to be immune, but don't get all cavalier and act like Macs are impenetrable fortresses of security; they're not (skim my previous articles about Mac security).

Here's a sample e-mail:

From: "DHL Services" {donotreply.s.nr6999 @ dhl.com} [forged From address]
Subject: DHL service. Get your parcel S.NR5944 [number may vary]
Date: November 15, 2010

The company could not deliver your package to your address.
The package was returned to DHL office.
Information about your package is attached to the letter.
Look through the information about your package thoroughly.

Thank you for using our services.
DHL Customer Services.

[Note: The rest of the e-mail contained white text on a white background, intended to fool spam filters while being hidden from the e-mail recipient. This portion of the e-mail is usually different in each sample, so I've omitted it.]

Attachment: DHL_Information_S.Nr09223.zip [file name may vary]

The malicious attachment is currently only detected by 12 out of 43 major antivirus engines, with detection coming soon from at least one vendor. Most of the following information is courtesy of VirusTotal:

File name: DHL_Information.exe
MD5   : 70da9f26213bfa1b947fcc58dd854cad
SHA1  : 57cad53f527fc97ac3e88a22ce295dcd7b2a882f
SHA256: ac068ce7055505ec0e501ea816959936f5d9221651715a93d37f99b631dbaf58
File size : 74240 bytes
12/43 detection rate as of 2010-11-15 23:11:32 (UTC)
Variously identified as: Gen:Variant.Oficla.10, Generic BackDoor.u, Troj/Oficla-BA, Trojan.Agent.AQWD, Trojan.Oficla-17, Trojan.Oficla.83, Trojan.Sasfis, Trojan.Win32.Generic.pak!cobra, Trojan.Win32.Oficla.chq, W32/Trojan2.NLPW, Win32.Outbreak!IK, etc.

As I've said before, antivirus software won't keep you 100% protected—especially against new malware, as these detection rates show—so it's always important to be cautious about downloading files or clicking on links.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.