Comments on: Follow up post about UPS_Invoice trojan

By: Robin

Robin — Sat, 23 Oct 2010 08:34:19 +0000

If you get the trojan then use Spybot. It picks it up no problem.

By: Adam Vero

Adam Vero — Mon, 28 Jul 2008 21:44:43 +0000

Gloin
Others have reported the domain name now, but it has been taken down, so no need to block at your gateway, although that can be a useful method of protecting your users and your network, especially in cases like this where the email trojan was only the first part of the problem, it is the other malware it downloads which is even nastier and harder to get rid of (such as XPAntivirus 2008).
You would of course need to consider how to protect users with laptops if they can use these on other unprotected web connections (or rather not protected by you and your filtering rules) such as at home, internet cafes and so on.

Barb
You might be best off with some form of bootdisk such as BartPE or Knoppix which can help you to go through your hard drive and remove files without being logged in to the machine through windows. Alternatively, hit F8 at startup for a menu and see if you have any luck getting in using Safe Mode.

By: Barb

Barb — Sat, 26 Jul 2008 16:27:20 +0000

My computer got infected with this trojan and now I can’t even log into Windows! Any ideas on how to clean this up without having to re-format my whole hard drive? Thanks!

Also, how do I get into my DOS prompt with Windows XP Home Edition when I can’t even log into Windows?

By: Gloin

Gloin — Fri, 25 Jul 2008 17:27:49 +0000

Hey, if you could forward me the actual URL that this thing is trying to phone home to, I’d sure appreciate it. We’ve had a few machines compromised, and I’d like to add the address to outbound block on the firewall. Thanks!

By: UPS_Invoice email trojan variant claims to be from Customs Service « Adam Vero at Getting IT Right

Thu, 24 Jul 2008 14:42:17 +0000

In the last hour I found in my inbox a variation on the UPS_Invoice trojans of last week. This new email claimed to be from "Customs Service" with the subject "Customs - We have received a parcel for you"

By: Hamish

Hamish — Wed, 23 Jul 2008 16:19:37 +0000

INfection started with:

UPS_INVOICE_978172.exe in a zip file.
Attached to an email as described above in the thread.

Likely it has spawned:
C:\WINDOWS\system32\ntos.exe Win32/PSW.Agent.NIF trojan

Infected:
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\buritos.exe
C:\WINDOWS\buritos.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\braviax.exe

more spawned files: (sorry no location info)
karina.dat
cru26???.dat

It tried to contact
hxxp://xpsecuritycenter.com/install/Installer.exe

Cleaned it by starting windows xp in Safe Mode
ESET’s NOD32 commandline scanner detected ‘m, I removed ‘m manually.

Hope this helps any of you a little further.

By: Jeroen

Jeroen — Tue, 22 Jul 2008 12:09:50 +0000

Thnx The420Kid! I’m going to try and fix it, but is since I’m not a computer-expert it is going to be difficult for me… Thnx anyway!

By: Elliot

Elliot — Sun, 20 Jul 2008 20:11:19 +0000

I received this Email. Unfortunately, I missed all the usual warnings (like the bad return Email address) and eventually clicked on the .Exe. When nothing happened, it suddenly struck me that I screwed up. I am trying to research how to get rid of this virus/malware.

My only saving grace, if it this indeed sends out mass Emails, is that I use Thunderbird as my Email client and usually these viruses attack Outlook.

By: the420kid

the420kid — Wed, 16 Jul 2008 19:31:57 +0000

There are reg keys that need to be re-entered after cleaning up the worm.

check out this link:
http://www.precisesecurity.com/threats/trojanblusod/

My cleaning used a mix of SDFix, Avenger (to kill some stubborn files), and Symantec Endpoint v11.
what a pain in teh ass

By: Jeroen

Jeroen — Wed, 16 Jul 2008 12:35:12 +0000

My computer has been attacked too… Unfortunately we were waiting for some stuff to arrive via UPS so there you go…

My Avast! 4.8 helped me wonderful but I had to delete some bad files from the registry. The malware was responsible for downloading the earlier mentioned XP Antivirus program (which was pretty hard to kill) and destroyed my desktop (i.g. wallpaper). It has left me with no choice of setting to adjust the wallpaper except for standard XP blue look. Has anyone got any ideas how to reset this and have my wallpaper back? I’ve removed files that were spread by the virus from the HKEY_CURRENT_USER registry regarding the false wallpaper setting (including a file called wallpaper.exe which had similar features to the others files (rhuc9u1j0e33v.exe etc).

I would really appreciate anyones help in this matter!