UPS Tracking Number Trojan

[Eric the Red]

Hooray! The virus writers have finally caught up with me, today I received an email containing the UPS Tracking Number Trojan that has been the subject of much discussion of late. If you are not familiar with it it takes the form of an email with the following characteristics:

From: "United Parcel Service"
To: <ajones@ntlworld.com> (Not me! Address will be spoofed)
Subject: [RE] UPS Tracking Number 1420968535 (Number will change)
Unfortunately we were not able to deliver postal package you sent on July the 1st in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

Attached to the mail was the payload, a  file named "UPS_INVOICE_187271.zip". This file contains the trojan dropper wrapped up in an .exe file.

It was a pretty crude attempt against me as an individual but as a Social Engineering attack it has the potential to have a significant impact on the corporate world where UPS shipments are commonplace. More details on this can be found at:

http://blog.mxlab.be/2008/07/20/ups-tracking-number-trojan/

Also, there is another Trojan doing the rounds that is masquerading as a Hallmark e-card. Remember the golden rule - don't open attachments without checking the content and senders first. Most of the AV companies should be able to deal with this but why put them to the trouble in the first place!