Comments on: UPS_Invoice email trojan variant claims to be from Customs Service

By: David Minter

David Minter — Sun, 31 Aug 2008 04:50:41 +0000

I also received pakes_c.se trojan horse in email attachment file eTicket#1721.zip. fortunately avg email scanner intercepted the attachment and deleted it. was not going to open the email anyway but did check my credit cards just in case someone had actually been able to put entry to my account.

By: Adam Vero

Adam Vero — Fri, 01 Aug 2008 16:30:44 +0000

Dave You are right, there seems to be a bunch of variations now about flight tickets, as I commented on in the original UPS thread here. I have now had several of these, the wording does seem to vary more than the earlier types, I have them from Fletcher Ferguson of JetBlue Airways; Trevor Naquin, United Airlines; and Harris Rosas, Midwest Airlines. The subject line of the first one seemed to have been left incomplete by the spammer, it came through as "Your order from {airlines} N5909431". Others have quoted different e-ticket numbers (4310190530, 4709645411) but the attachments bear no relation to these at all (E-ticket_7399294.zip, eticket#1721.zip twice). Also the 'password' provided in each email was passABCD where ABCD were 4 seemingly random letters.

By: Dave

Dave — Fri, 01 Aug 2008 12:53:20 +0000

The Travel Industry is being hit with a similiar trojan…”trojan horse Pakes_c.SE”. And, of course, I can’t find anythinf either. Looking thry Google is where I found this site. The sender sends the trojan in a zipped file named eTicket# and a ticket #. As soon as you unzip it you find the exe sitting there, which is a dead giveaway that something is terribly wrong. I hope you all have good defenses. My avg also picked it up during this morning’s scan. Good luck to ya’all.

By: stevec

stevec — Fri, 25 Jul 2008 23:11:52 +0000

I fell for it, too. I run websites for a living, and I usually know a virus when I see one. But I also receive around 2000 emails a day, about 70 of which come from UPS. So, I scan and open quickly. Stupid, no. Hasty, maybe.

I thought I had wiped this thing clean using Avast, but now my PC has started sending the “Customs Service” email. I took it offline, of course. Now looking for a fix. Any ideas?

By: Andrew

Andrew — Fri, 25 Jul 2008 16:11:24 +0000

I have to confess I was one of the people who fell for this. Please spare a thought for us before you call us ‘idiots’. I am normally very careful not to open such attachments, but this really caught me off guard: I live in the UK and have ordered a cd box set from the marketplace at amazon.fr on 7 July, which means it is shipped from the US, and it is close to the 18GBP mark at which one must pay import duty. A lapse when you read your mail and it could so easily happen. I have had the stuff removed from my machine in the meantime, though.

By: scott

scott — Fri, 25 Jul 2008 14:52:22 +0000

Look up info on the ntos.exe virus, disable system restore, remove it, delete files and directory System32/wnspoem/*

run spybot to find registry entries and remove those. This is a start if you had the registry change enabled.

By: Ed

Ed — Fri, 25 Jul 2008 13:33:31 +0000

I happened to just have gone through US customs the same day as I received the email. Figures.

Once I finally deleted the virus, all of my computer icons as well as my start menu disappeared, and I still cannot get them back. If anyone has any information on how to recover my computer, please tell me.

By: Paul

Paul — Fri, 25 Jul 2008 12:54:40 +0000

This arrived to one of my users as the French customs package, with Bill_Tax.zip as attachment. Virustotal.com shows decent coverage, but Mcafee doesn’t detect even with current definition files.

Virustotal results:
Antivirus Version Last Update Result
AhnLab-V3 2008.7.25.1 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.24 W32/Downldr2.DBPY
Avast 4.8.1195.0 2008.07.25 -
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.25 Trojan.Spy.Wsnpoem.EK
CAT-QuickHeal 9.50 2008.07.24 -
ClamAV 0.93.1 2008.07.25 Trojan.Zbot-1713
DrWeb 4.44.0.09170 2008.07.25 Trojan.Proxy.3731
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5981 2008.07.25 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.24 -
F-Secure 7.60.13501.0 2008.07.25 Trojan-Spy.Win32.Zbot.dkx
Fortinet 3.14.0.0 2008.07.25 -
GData 2.0.7306.1023 2008.07.25 Trojan-Spy.Win32.Zbot.dkx
Ikarus T3.1.1.34.0 2008.07.25 -
Kaspersky 7.0.0.125 2008.07.25 Trojan-Spy.Win32.Zbot.dkx
McAfee 5346 2008.07.24 -
Microsoft 1.3704 2008.07.24 -
NOD32v2 3298 2008.07.25 -
Norman 5.80.02 2008.07.24 -
Panda 9.0.0.4 2008.07.25 -
PCTools 4.4.2.0 2008.07.24 -
Prevx1 V2 2008.07.25 -
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 Mal/Spy-A
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.25 Backdoor.Paproxy
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.25 -
VBA32 3.12.8.1 2008.07.24 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.24 -
Webwasher-Gateway 6.6.2 2008.07.25 -

Additional information
File size: 68096 bytes
MD5…: 3f4fa8fa60369c31a9ce18790e0c3ccd
SHA1..: 49d395d59baf40499bcbfa91bf4db02fd64a2c5b
SHA256: abcffbb0c5cc52f3f68209c0a3afc5e092a96ea9d80f68642f23f01fbdcff7e1
SHA512: 05048600882216adffeeff009b753fe51da001b3cedb44dc477f4a3b9092a5ea
53b1ec87288551e0e57701bd8c8702599db31511878f97d7286ff296bd8b9335
PEiD..: -
PEInfo: -
packers (F-Prot): rtf

By: Harry

Harry — Fri, 25 Jul 2008 11:05:40 +0000

AVG detects it as “Trojan horse Pakes_c.RX” but I can’t find any more information.

By: Robert

Robert — Fri, 25 Jul 2008 08:22:02 +0000

I just now updated my McAfee anti-virus and scanned it, and it still doesn’t recognise Tax_Invoice____….exe as malware. Not impressive. Fortunately, our environment blocks the running of any unauthorised software using software restriction policies.
Thanks for the info.