Friday, October 15, 2010

UPS/USPS Scam E-mail with Oficla Trojan Attachment

One year ago (almost to the day, actually) I warned of malicious e-mails that claimed to be from DHL that used social engineering to trick users into opening an attachment. Well, bad guys are still pulling the same trick, this time with e-mails purporting to be from UPS (United Parcel Service of America) or USPS (United States Postal Service).

Here's a sample e-mail:
From: "United States Postal" {donotreply @} [forged From address]
Subject: UPS Tracking number N224002 [a random number]
Date: October 15, 2010

Good afternoon.

The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.

Thank you.
UPS Global Services.

[Note: The rest of this was white text on a white background, intended to fool e-mail spam filters while being hidden from the e-mail recipient. This portion of the e-mail is vastly different in each of the samples I've seen.]
Hes in his fit now and does not talk after the wisest.He shall taste of my bottle: if he have never drunk wine afore, it will go near to remove his fit. If I can recover him, and keep him tame, I will not take too much for him: he shall pay for him that hath him, and that soundly. STEPHANO. Come on your ways: open your mouth; here is that which will give language to you, cat. Open your mouth: this will shake your shaking, I can tell you, and that soundly [gives CALIBAN a drink]: you cannot tell whos your friend: open your chaps again. STEPHANO. Four legs and two voices; a most delicate monster! His forward voice now is to speak well of his friend; his backward voice is to utter foul speeches, and to detract. If all the wine in my bottle will recover him, I will help his ague. Come. Amen! I will pour some in thy other mouth. STEPHANO. Doth thy other mouth call me? Mercy! mercy! This is a devil, and no monster: I will leave him: I have no long spoon. TRINCULO. Stephano!
Attachment: [a random number in the file name]
Before I talk about the attachment, let's briefly examine the non-hidden portion of the e-mail.  How many suspicious things can you find?  For starters, the From name is "United States Postal," not "United States Postal Service."  Second, the subject line says "UPS," not "USPS"—the company doesn't even match!  Third, companies like the U.S. Postal Service, UPS, and DHL never send attachments containing tracking numbers.  If the real company was going to send a tracking number, it would be in plain sight in the e-mail, not buried inside some attachment, and certainly not inside a Windows executable.

Not surprisingly, the .zip archive contains a malicious .exe program.  At present, the malware is detected by 23 out of 43 major antivirus engines, with detection in the works from at least one additional vendor.  Most of the following information is courtesy of VirusTotal:
File name: UPS_Document_NR*.exe [* = random number]
MD5   : 0964957611527841a83906bd68e248c7
SHA1  : 2497d1be1a4b49808171f388dd3ae1c59956075f
SHA256: 0bb27e6dba7e60c46cf8d829ddea604f1772ccf52885a84f5f07d3bd6953b0f0
File size : 41472 bytes

23/43 detection rate as of 2010-10-16 02:22:52 (UTC)

30/43 detection rate as of 2010-10-16 18:51:09 (UTC)

Variously identified as: a variant of Win32/Kryptik.HHI, Artemis!096495761152, Generic.dx!uhx, HeurEngine.MaliciousPacker, Heuristic.Trojan.SusPacked.TMS, High Risk System Back Door, Mal/Oficla-A, Packed.Generic.308, Packed/Win32.Generic, Riskware, SHeur3.BIXD, Suspicious file, TR/Crypt.XPACK.Gen, Trj/Downloader.WBX, TROJ_BREDLAB.TX (reminiscent of the "Bredolab" name of last year's DHL malware), Trojan.Oficla.73, Trojan.Oficla.AO, Trojan.Win32.Downloader.41472.EC, Trojan.Win32.Generic!BT, Trojan.Win32.Oficla.apb, Trojan/Win32.Oficla, TrojanDownloader:Win32/Mafchek.C, UnclassifiedMalware, W32/Oficla.AIY!tr, W32/Oficla.P.gen!Eldorado, W32/Trojan3.CGE, Win32:Trojan-gen, Win32.Outbreak!IK, etc.
See the behavioral analyses of this file from ThreatExpert, Anubis, and Panda Xandora/Autovin, and the Web of Trust report for webauc .ru, a domain to which this malware phones home:
See also ThreatExpert's analysis of a related mass-mailer program which sends spam like the sample above, and an additional domain and an IP to which the malware phones home or tries to download executable content:
Be sure to remind your friends and loved ones to avoid downloading attachments from e-mails like this one.

UPDATE, 16 Oct 2010 @ 12:00 PDT: Added some additional names of the malware.  Currently detected by 30 antivirus engines with at least one more detection coming soon.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.


  1. thanks for your info my 71 year old mother in law
    just sent me an email...did you send me something it said it is coming in three days....agggghhh the spammers...thanks so much for your article i forwarded it to her so she wont get snagged and i am going to subscribe to the rss feed of yours
    thanks again
    jill in texas

  2. I am currently expecting a UPS shipment. UPS sent me their regular tracking details. Among the same email batch, there was an email from a USPS??? sender with a zip file attachment where UPS_Document.exe resides that when opened could have severe consequences in ruining the OS. It was the TrojanDownloader:Win32/Mafchek.C
    ID: 2147639142
    Severity: Severe
    Category: Trojan Downloader
    Microsoft Antimalware has detected the Trojan and warned by red flagging via its MS Security Essentials if the file should be quarantined or removed.

    Is this a coincidence, or have these people gone as far as hacking UPS's delivery system? I tend to believe it's rather a coincidence because I rcvd similar emails from these bad folks before without using the legit UPS shipping services.

    One thing is for sure, I am doubly warned to never opening email attachments from people I don't know, double-checking the sender's origin and to run a separate Virus scan on every executable file whether downloaded by the net or rcvd through regular email channels.


  3. layaguara: To answer your question, yes, it's a coincidence.

  4. In an act of stupidity, I think I downloaded this thing today. I immediately ran AVG and it did not pick anything up...but I'm worried it may be there. What do I need to do to find it and get rid of it? Thx.

  5. Rstrushen: AVG currently detects the variant that was sent to me on Friday, so if your definitions are updated and you do a full scan of the system, it should catch that particular malware. It's possible that what you downloaded might be a different file that's not detected yet, so it wouldn't hurt to run an online scan or two from other reputable antivirus vendors. Here are some sites where you can run a full scan of your hard drive for free (in no particular order):

  6. I almost fell for it! I get a lot of packages and am currently expecting packages from a few people.

    I ignored the "same old warning" my security software shows and clicked to allow me to see the graphics and entire content of the message. There was a zip file at the bottom that I was so close to opening when I noticed that the message had not only been sent to me, but to a lot of other email addresses similiar to mine. That is when I decided to copy and paste the tracking number that was in the subject line and also the body of the text. I went directly to UPS to do a search for the number and found nothing.

    That is when I started searching for scams. This is the closest I have ever come to loading a virus, or whatever it was going to load, and I have been using email since '94 or '95. Amazing how much things have changed since then!

    I always think if the people who spend their time finding ways to mess with every computer they can would spend that time doing something good, we would live in a world that was a much better place!

  7. I am an idiot and opened it - will it affect my macbook - can i run the same virus scanners listed above to get rid of it

  8. Bt: You should be fine (unless of course you're using Windows instead of Mac OS X on your Mac). If you're only using Mac OS X, the Trojan attachment from this particular e-mail won't harm your computer.

    I don't know of any full-computer online antivirus scanners that are compatible with Mac OS X. All of the ones I listed above currently just support Windows.

  9. Thanks - that is reassuring - i am running a program i found online called iantivirus - in theory will this still find it even if this is not causing a problem. and once again thank you for this very prompt reply.

  10. Bt: No, PC Tools iAntivirus only detects Mac viruses. However, ClamXav (also free) can detect this if you do a full scan of your hard drive with it. See my previous article, which briefly mentions both of these Mac antivirus products:

  11. I got the email from usps and got suspicious when they signed it UPS Global Mail. two different organizations, and I was not expecting a package. So what do I do with this. Should I forward it to someone who can track it down? I hate to just let them get away with it.

  12. I also (stupidly) opened the file, however I have windows. I performed a full system scan on Trend Micro and found 6 Trojans and 1 virus, and permanently deleted them all. Are there any other actions I should take? Thanks for this info.

  13. MARY: Forwarding it probably wouldn't help much. The e-mail headers (which show where the e-mail came from) are forged, and the spam is probably being sent by a botnet (a distributed network of infected computers). The other problem is that since the e-mail contains a known malware attachment, either your e-mail provider or the recipient's is likely to block the e-mail from being delivered if you try to forward it. However, if you want to, you can contact SANS to see if they would like a copy of the e-mail and/or its attachment. If so, they can provide you with instructions on how to submit the items.

    Keisha: It wouldn't hurt to scan with another one of the online scanner sites I've listed above. Antivirus software is not perfect, so there may be something left behind that another scanner might detect. Better yet, you could boot from an antivirus live CD to scan your computer, which is more likely to detect and clean rootkit infections (a particular type of malicious software that hides itself and/or other malicious files on your system, making them harder to detect). A number of antivirus vendors have live CDs that you can download, such as Kaspersky. Here's a list of other antivirus live CDs from someone else's site. It's kind of an old list, but many of the links should still work.

  14. thanks again for all this help - before i run clamxav scan do i need to remove iantivirusor is that a myth that only one virus checker can be active on one computer

  15. Bt: You're right that generally it's not a good idea to install two full antivirus suites at the same time because they can conflict with one another, causing performance and stability problems. However, ClamXav is a simple scanner, not a complete antivirus suite; by default it doesn't run in the background and it doesn't automatically scan files when they're downloaded (unless you manually enable the ClamXav Sentry feature). You can go ahead and install ClamXav and scan your hard drive without uninstalling iAntivirus first.

  16. I used clamxav unfortunatley you can not select whole hard disk to scan but highlighted all of the sub folders within the hd and did the scan no viruses. COuld it be that the program failed to infect the computer. When i clicked on it - it opened in a text box - with random symbols - shoul I do anything else to make sure the computer was not infected before i start using the internet for things like online banking? This help is really appreciated as i am so paranoid

  17. Bt: You can select the whole hard disk in ClamXav. I just verified this in version 2.0.7, which is the newest version as of today. If you can see the hard drive on your desktop, just drag it to the Source List on the left side of the ClamXav window, or alternatively click on the + symbol at the bottom of the window and select Macintosh HD (or whatever you've named your hard disk) in the left side of the dialog box, then click Open.

    I tested on my Mac to see whether ClamXav detects this malware like it's supposed to. It had an error every time it tried to scan the .zip file (the actual e-mail attachment, which contains the .exe program), which isn't a big deal because it successfully detects the malicious .exe program itself, which is what could actually cause harm if you opened it on a computer running Microsoft Windows.

    Again I reiterate that your Mac cannot be harmed by this particular malware. It's a Windows .exe program. It can't run or do anything at all to harm your Mac unless you've previously installed a Microsoft Windows operating system on the same computer (using Apple Boot Camp, Parallels Desktop, VMware Fusion, Sun/Oracle VirtualBox, etc.).

  18. I´m so glad I found this thread. Ok, I must admit I´m one of the "stupid" people who clicked on the attachment. To my defense (if any) I am expecting a very important package from ups and I was rushing to go out the door and thought about checking what it was. When I clicked to open it it opened the text edit window and I could only see symbols (like the ones you get when you have a file that the computer doesn´t recognize). I´m pretty sure my mac hasn´t been infected because it can´t read it but I´m worried of passing this around to my pc-users friends. I´m off to buy intego virus barrier x6 which I believe will check for virus both targeting mac and pc. Is this the best course of action?

    Also, how would this virus travel to a pc? Will it get attached to any email I send? Or do my emails need to contain an attachment, let´s say a picture, for it to get attached to it?

    As you can see I´m pretty novice about this.

    Thanks for the help.

  19. Noviembre: Once again I reiterate that this can't harm your Mac unless you also have Microsoft Windows installed on it. The only way you could "pass this around to your PC-using friends" is if you chose to manually forward that specific e-mail to them. It will not automatically attach itself to any other e-mails that you send from your Mac. This malware infects Windows only, and there's simply no possibility that it can do anything bad to Mac OS X.

    Yes, Intego VirusBarrier X6 checks for Mac, Windows, and UNIX viruses, according to their site. I've never used VirusBarrier but based on everything I've read about it, it's probably among the most comprehensive antivirus suites available for Mac. Although Mac malware is pretty rare at the present time, it wouldn't hurt to use antivirus software on your Mac. If you want less comprehensive protection but for free, you can try iAntivirus or ClamXav (if you use the latter, you should manually configure ClamXav Sentry to run automatically when you start your computer and to automatically scan files when they're downloaded or copied to your Downloads folder and Desktop).

  20. Thanks, Josh! I realized after writing my email at 6 in the morning (worried and super tired, not a good combination) that you had clarified for Bt that it couldn´t harm a Mac and also that the only way for me to pass this around, if I did have it on my mac, would be if I forwarded that email.

    Since I wrote on your website I have installed the free trial of Intego VirusBarrier X6 (it will scan and quarantine but not repair) and it came back clean so I suppose that means that it didn't get installed on the mac. At the apple store the clerk dissuaded me from buying the Intego VirusBarrier X6 once he knew who my Internet provider was (it seems that my Internet provider offers a free download of Norton Antivirus 11 for mac). I didn´t buy the Intego because I still have the trial version and I want to read reviews about Norton for Macs. The reviews I have heard so far were not that favorable.

    Thank you one more time for your help and reassurance. You´re doing a great service and I´ll be sure to check your blog again in the future.

  21. wanted to say thank you for your help last week - the paranoia passed and I am using the mac again. I never located the file and wonder if deleting it from download folder was enough. thanks again

  22. Thanks for this - the only accurate description I've come across. I was also expecting a package and my guard was down. At least I scanned the .zip attachment with norton antivirus but nothing detected. I double clicked the attachment and fortunately winzip came up as an expired evaluation version and didn't unzip. Do I still need to be concerned about infection? Thank you so much.

  23. vladimir: It sounds like you're probably okay. If you're still concerned, it wouldn't hurt to get a second opinion from a different antivirus vendor by trying one of the online scanners or boot CDs mentioned above.

  24. Hello,

    I also received two from:
    DHL Global Services
    UPS Logistics Services

    that is strange, in the body of the only-plain text I found these paragraphs:

    There was no doubt of it--I saw it in the smile that permeated his face and the bow that bent his back as the man passed him.This kind of petty bribery is, of course, abominable, and should never be countenanced. Some members of the troupe came next. The gentleman in chocolate with my five francs in his pocket did not mention the name of any other member of the troupe except the Director, but it was impossible for me to be mistaken about these people--I have seen too many of them. She was rather an imposing-looking woman--not young, not old--dressed in a long travelling-cloak trimmed with fur (how well we know these night-cloaks of the professional! ), and was holding by a short leash an enormous Danish hound; one of those great hulking hounds--a hound whose shoulders shake when he walks, with white, blinky eyes, smooth skin, and mottled spots--brown and gray--spattered along his back and ribs.

  25. I opened this on my iPhone. Is there anything I need to do?

  26. Alison: If the e-mail attachment's file name ended with .zip or .exe, fear not; the iPhone doesn't come with apps that can open these types of files.

  27. Josh, the attachment was a pdf file. It did try and open it.

  28. Alison: Hmm, that's a bit more troubling. Although I'm not aware of any iPhone-specific PDF malware attachments in the wild, there is a slight possibility that you could be a victim of a targeted attack (meaning an attacker may have known that your e-mail address is used with an iPhone, and used an iPhone-specific PDF exploit to try to infect your phone). It's pretty unlikely, but it's possible.

    If you still have a copy of the e-mail or the PDF and want me to take a look at it, please leave a comment with your e-mail address (I won't publish the comment, so your e-mail address will be visible only to me). I'll e-mail you with instructions on how to send it to me.

    If you don't have a copy of the e-mail or PDF anymore and you're paranoid that your iPhone might be infected, you may want to restore your iPhone to a backup prior to when you received the e-mail. Follow the instructions at under "Restoring your iPhone..."

  29. I think I'll restore my iPhone. I have sent the email to my IT Security folks for them to sort it out, since it came to my work email. Thanks for your help! You're awesome!

  30. Josh, I did the same, and opened the email through my IPhone. I plugged in the phone to my computer and now am worried that I infected it. It too was a PDF file. When I opened it, there was no text or pics, just black. I can send you the email to look at if you like. I am currently running Norton on my computer as I write this.

  31. thanks for the tips,
    i got same email from
    FedEx service


  32. Stupid me. I did open the attachment (I had just mailed a pkg. via USPS), running WindowsXP. I immediately scanned with Avast & Malwarebytes antivirus software. Found & deleted a couple of "heuristic" files. Do you think I need to do anything else?

  33. RastaPa: There's no way for me to know for sure. You could try scanning while booted from a live CD, and you could try scanning with a trusted antivirus site as described above.

    If you can't find anything after several full system scans with updated antivirus engines (including at least one scan while booted from a live CD with updated definitions), you might be okay. However, if you're paranoid that your computer might still be infected, you can restore to a previous full system backup if you have one, or reformat your hard drive and reinstall Windows.

  34. I "opened" the file online to see what it was (by right clicking and selecting open) but didn't download it. I saw the program exe file sitting within, but didn't click on it. Is it likely my computer was infected?

  35. Guess Who?: It would be a good idea to scan your computer. In the future, don't open/download any .exe attachments (period) or any other unexpected e-mail attachments.

  36. I downloaded UPS_documents.exe attachment onto my Mac. It appeared as a zip file which I opened, containing an .exe file which I did not open.

    My question is, could it harm my computer if:
    1) I only "touched" the file in MacOS
    2) At the time, Windows was open on my Mac in Fusion?

    In other words, could the virus somehow spread from the Mac host to the Windows one?

  37. Diego: If you didn't open/run the .exe file, you shouldn't have a problem.

    If you had double-clicked the .exe and it opened in VMware Fusion, then you'd have a problem. Based on your description, it doesn't sound like you did that.

  38. I clicked on an attachment for a similar e-mail and tried to open it but nothing happened. My e-mail provider renamed the file because it contained an executable file. I'm confused about how that works and whether or not its possible that my computer was able to access the file anyway and become infected. I scanned it with trend micro and McAfee and neither of them found anything but I'm still concerned.

  39. spaghettios2: You could try uploading the file to VirusTotal to see if any other antivirus programs detect it:

  40. It looks like they now have insider information. I would have fallen for the social engineering trick if I had not been reading a lot on phising.

    A mail was sent to me a day after someone sent me a package. It claimed that the mail could not go through due to an error in my mailing address.

    It now went further to request that I should download and pring the shipment label so that i could come to their office with it.

    The postal service authorities need to check the integrity of their system as lots of personal information is being stolen there.

    Thanks for sharing.


  41. hey josh! my girlfriend received a similar email but it came from ups that looks suspicious. she then forwarded the email to me to check out if it is authentic. i was using my iPhone when i received the email and i found a zip file attached to it and clicked and tried to open but the iPhone cannot open/launch it so i left it alone. i then searched the internet and found your post so i immediately deleted the email. i was just wondering if my iPhone was infected by the virus in anyway because i am a getting a bit paranoid right now. thanks!

  42. kevel: It's extremely doubtful. Nevertheless, I would recommend against trying to open attachments to "check them out" in the future. Whenever you get an e-mail claiming to be from a company, or even an e-mail that looks like it's from someone you know but seems a little suspicious, never open the attachment. When in doubt, you can always call the sender (using a phone number from your own records, not from the e-mail) to ask about the attachment.

  43. so you think my iphone wasn't infected by the virus right? because the zip file never launched in the first place when i clicked it. but just to make sure i restored my iphone's firmware back to its original settings, all my files got deleted but at least my iphone is clean. thank you josh.

  44. Just got this email on my MAC this morning and clicked open. It was a Zip but then I noticed the .exe. Deleted & deleted from trash as well - but in running te new OSX - any chance for infection? I cleared the cache/ shut down the whole computer.

  45. aohl: Please see my response to Bt above:

    If you want to scan your computer anyway and you don't have antivirus software on your Mac (assuming the Mac is your personal property that you use at home) I recommend installing Sophos Anti-Virus for Mac Home Edition. It's free and full-featured antivirus software from a reputable company. You can download it at

  46. Hi. I stupidly unzipped the attachment to an USPS email on my iPad2 using the GoodReader App. Am I in trouble? DJ

  47. DJ: Please see my response to kevel above:

    To everyone: As far as I know, there are not currently any versions of these UPS/USPS/FedEx/DHL/Royal Mail fraud e-mails that specifically target or can infect iOS (iPhone, iPad, iPod touch). I'm quite sure that if such a variant were to exist, we would hear about it quickly since iOS malware is almost nonexistent. Likewise, Mac malware is still much more rare than Windows malware, so even a Mac-targeting variant of this e-mail scam would probably make headlines, at least on security and tech news sites.

    You can subscribe to security sites like this one (subscribe via e-mail), as well as Sophos' Naked Security blog and Intego's Mac Security Blog to stay informed about threats targeting iOS and Mac OS X as they arise.

  48. I just received and accidently opened and executed it. This afternoon
    Now I find all documents, pictures and other files missing... Any idea of what the worst case damage this virus does...?

    USPS Report.Exe

  49. I just got what I think was a virus email purporting to be from fedex express services entitled "deliver error (#)." It contained a zip file entitled "fedex invoice copy" with a number after it. I unfortunately opened it on my iphone with "pdf expert" app. Anyone know if this will affect iphone?

  50. i just got one says ive exceeded my time delivery and that i will be charged 14 something everyday if i dont download the zip so another one out be careful i will not download anything

  51. Apparently all my neurons aren't firing this morning because I just received this email from USPS and opened the attached zip file. I had just sent out a package and was also expecting one so I let my guard down. I am ashamed to admit that I did try to open the .exe file but it wouldn't open. I am on a Mac so my question to you Josh is this. Does your response to Bt and aohl still hold true concerning Macs since this might be a more recent email virus? Will this affect my mac at all?

    I also want to thank you so much for this website and for educating lay people like me.

  52. sittee2b: If the .exe file wouldn't open, then your Mac did not get infected.

    You should strongly consider using antivirus software on your Mac, though, since Mac malware has been increasing over the past couple years. There are a couple of free antivirus products available from Sophos and Avast, and Intego offers a 30-day trial.

  53. I've looked everywhere for an answer to this question and would very much appreciate any advice: could I be infected if all I did was open the zip file but then got wise before clicking on the .exe file? I was reading an email in Windows XP, in Pine, said yes to opening the zip file (the emailed claimed to be from DHL), suddenly it was showing me a .exe file to click on, at which point suddenly I woke up to what was going on.

    I didn't click on the .exe file, immediately closed the window, closed the email, deleted it. Exited, restarting, about to do a scan from an Avast! disk. The only immediately odd thing was that I couldn't disable the wireless network before shutting down, which seems worrying. Other than that - my main question is: will just opening up the zip file but not having clicked on the .exe file still have infected me?

  54. I received similar email (after logging into the real website and : Attempted delivery of package on June 27 was sent to erroneous address, please reprint shipping label. Unfortunately I opened it on my Iphone. It was a .zip file. Josh, any word if by now the virus has evolved and is infecting Iphones with .zip files, or are we still safe because Iphones cannot open them?

  55. 52101766-d01c-11e1-a552-000bcdca4d7a: It's highly unlikely. I haven't heard any reports about iOS malware spreading through e-mail attachments.

    Still, it's a good idea to be more careful in the future.

    Think it through logically:

    "This e-mail claims that USPS attempted to deliver a package and it was sent to the wrong address. I don't have the package, so what good would it do for me to print a shipping label?"

    Furthermore, legitimate companies will almost never send and ask you to open an attachment. That's another big red flag.

  56. This is the last one I just received; little modified.
    Be careful with the clicking on open page, since not only the button is an active link, but the entire image/page.

    "Unfortunately we failed to deliver........."

  57. just received it in 2013 cosmicrayuk


Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)