Good afternoon,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,

Rolland Hanna

Your Customs Service

This content was so close to the UPS_Invoice one that it seems obvious it originates from the same source.

My parents were on holiday in France on July 9th (back home now) so this might just possibly have caught me out if I had not seen the previous variant and the wording was a bit less stilted (especially the signoff), and the sender had actually been spoofed as the customs service not some random .com company. I guess the people most likely to fall for this would be anyone who bought something online from France, or through eBay and maybe they are not 100% sure where their purchase is being shipped from.

This time the attachment was called Tax_Invoice.zip which expanded directly to the executable (no folders in between this time) which was called Tax_Invoice_________________________NHHDLS883298792929.exe . I guess the filename padding is a flimsy attempt to make the end part disappear from the view and show as the truncated name “Tax_Invoice_…” or similar. Like the previous ones, this has a crude MS Word icon which has rough edges and simply does not scale above “medium icons” view in Vista – any larger and it just shows the smaller one in a larger grey box.

This one has an MD5 hash of 8CEB0F61089D86C086DCC08D6A783015.

Since the first rash of these emails last week, things died down. Presumably as the world’s antivirus vendors caught up with this new malware outbreak, they were mainly being caught at the point of sending. I certainly received none for several days, then had two on Monday night / Tuesday morning with the same text as before:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office

(one bizarrely missed the apostrophe from “recipient’s” and replaced it with a space)

Both had the same attachment UPS_INVOICE_978172.zip (47.9 KB or 49,110 bytes in size), which expanded to a 56KB (57,344 bytes) exe of the same name with MD5 checksum DA4B7EF93C588AD799F1A1C5AFB6CFAD.

Thursday’s pair were just called invoice_8712.zip (48 KB or 49,192 bytes) which held a 55.5 KB (56,832 bytes) file called INVOICE_8712.exe with MD5 digest of 9E2756F0A0AD988E149845B07216B181. All of this week’s emails had the subject “UPS Tracking Number nnn” with four different numbers: 1950761581, 8587187457, 7535113385, and 6853701924.

The first one which had the half German subject line was a file called UPS_Invoice_317.zip which was 5,420 bytes in size. This one expanded into two levels of folder as UPS_Invoice_317\Ups_invoice\UPS_INVOICE.exe (this was the only one to use lower case in its folder names). The executable was exactly 8,192 bytes (almost certainly padded) and had an MD5 hash of 6B4EF50E3E21205685CEA919EBF93476 which is the same as the one posted by Kayrac on the broadbandreports.com forum. Unfortunately he did not say what the name of the containing zip file was.

My next one was called UPS_INOICE_107.zip (note the mis-spelling) and extracted as UPS_INOICE_107\UPS_INVOICE_107.exe – only one level of folders this time, and the executable inherited the numeric part in its name. The mis-spelling almost certainly came from a mis-spelled folder used to compress it in the first place, as most zip programs default to using the folder name for the zip file as well. This file was only 6,656 bytes long and had MD5 checksum of 0C0F2CB1DEB11EC0AA68DEE0933FAACF. Since this is smaller than all the others I am certain it is a significantly different variant, or perhaps is simply broken. Hopefully I can test this later to see what (if anything) it does.

My third and fourth received emails were both called UPS_INVOICE_107.zip and extracted to UPS_INVOICE_107\UPS_INVOICE_107.exe, both 8,192 bytes long and with the same MD5 digest of 58AC24B1F802990387870D3A5CC2312B. The two zip files however were different sizes (4,117 and 4,178 bytes), so they were not direct copies of one another.

All the files made reference to a Russian domain which was registered on the 11th June. I have obscured the domain name and parts of the IP address in the screenshot below, taken from DNSstuff.com

There seems to be an SMTP server running on the same IP as the name servers, presumably to enable the malware to forward copies of itself, or perhaps to send messages home, since it does not seem to be set up to permit relaying.

Anyone have any further information about what this does yet? I’m just setting up a sandbox machine to try and track its infection in a safe environment.

Also, if you have any MD hashes which are different it might be interesting to post them as comments so we see how many flavours of this are out there.

From: United Parcel Service [someone@not_ups.com]

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_Invoice_317.zip

Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.

So I saved the file and had a quick peek with notepad to avoid opening the zip file at all. I could see enough of the content to see that the content of the zip was a single executable called UPS_invoice.exe rather than any kind of document file. Next step – a quick search online to see what particular flavour of nastiness this was. Fire up search engine, search for “UPS_invoice trojan”, “UPS invoice trojan” and other variations. Absolutely nothing at all. No-one else seems to have received this. Very strange indeed. I had a look on Sophos’ website and McAfee’s virus information library but could not find anything resembling this.

I wondered if I had somehow been ‘lucky’ enough to be one of the first to be sent a new malware variant, so I submitted a sample to Sophos.

I checked again later in the day and now I got a single hit for a site discussing this new menace, a blog at the Berlin Technische Universität focussing on hoax information had this post: UPS-Mails mit Malware. So, I was not alone, but it was still odd that no-one else reported this.

Of course, zip files can be opened natively on XP with no additional software, and a zip can be compressed in such a way that it will automatically open or run a file once it has decompressed the zip. This means that simply double-clicking the file could cause the payload to run, and attempt to install and do its damage.

Five hours after submitting my sample, Sophos kindly confirmed that the file did contain malware, identified by them as Troj/Agent-HFU. Coincidentally, the last email to arrive before I received this was another version of the same thing, with an English subject of “UPS Tracking Number 8017161622″ and the attachment was called UPS_Inoice_107.zip this time (yes, that’s “inoice” with no V). So maybe the first one was actually a German variant sent to me – not too farfetched given that I receive plenty of spam in German, usually pump-and-dump stock scams, so I must be on someone’s spam lists.

Still no information about UPS_Invoice.exe

However, there was still no mention of the email subject or payload name. Web searches still found only the TU Berlin article – was this just because the search providers have an inevitable timelag, or something else? I had a read of the Sophos advisory about this and found that they simply don’t mention UPS at all. Nothing. I know back when I wrote my review of Sophos Small Business Edition they used to be pretty good at describing the symptoms of a malware variant so you had some chance of identifying threats. Now the description says only that this trojan affects Windows, and that protection has been available for Sophos customers since 13 July 2008 19:44:42 (GMT). Pretty useless, so I thought I would check if anyone else had any more helpful information by searching for the name “Troj/Agent-HFU” and “Trojan Agent HFU”. The only results were sites which either syndicated Sophos information directly or wrote about new releases and quoted the source. So the blogosphere echoed with the same information I could get from Sophos but nothing else.

What’s in a name?

So, does this mean that Sophos are the only vendor out there offering to spot this new threat with an updated signature? I very much doubt it, I suspect this is just a manifestation of the usual problem of confusion over virus names. When a biologist finds a new species of beetle (or indeed a real-life virus) they get to name it anything they like. They can stick to a conventional Linnaean classification, or name it after their maternal grandmother, a character from Star Trek, or simply a new rude-sounding word. But once they have decided upon a name, everyone else has to use the same one. OK, there are cases where a second person does not realise that their find is not actually new, and they use their own chosen name for a while, but once it is determined that two creatures are in fact just individuals from the same species, the earlier name is used.

Not so for computer viruses. For years I have found it annoying and frustrating that the antivirus vendors seem to enjoy choosing different names for the same malware and then sticking doggedly to them. At least they used to cross-reference each other’s versions to some extent, but now it seems they are deliberately keeping to their own petty conventions. Why not adopt a universal scheme of letters and numbers within which any vendor can take the next one off the list and attach it to an identified executable? If astronomers can do this for the billions of stars and other objects found in outer space, why not for something as specific and tangible as a few dozen lines of code? Even the minor variants introduced by viruses when copying themselves in order to defeat the most primitive signature-based scanners are easily stripped away, and the core program and its behaviour can be identified. Maybe I’m being over-simplistic or optimistic about the levels of cooperation possible between large corporations which answer to their shareholders. Any insiders care to share any information about the practicality or otherwise of such a name-sharing scheme?

PS: A third email with subject “UPS Tracking Number 6360851232″ and an attachment name correctly spelled as UPS_Invoice_107.zip arrived while I was writing this.

It just seems odd how no-one seems to be talking about these with reference to the subject or attachment names. Since it is totally obvious they are not really from UPS, what’s the issue? Has anyone else been receiving many of these?