The first one which had the half German subject line was a file called UPS_Invoice_317.zip which was 5,420 bytes in size. This one expanded into two levels of folder as UPS_Invoice_317\Ups_invoice\UPS_INVOICE.exe (this was the only one to use lower case in its folder names). The executable was exactly 8,192 bytes (almost certainly padded) and had an MD5 hash of 6B4EF50E3E21205685CEA919EBF93476 which is the same as the one posted by Kayrac on the broadbandreports.com forum. Unfortunately he did not say what the name of the containing zip file was.

My next one was called UPS_INOICE_107.zip (note the mis-spelling) and extracted as UPS_INOICE_107\UPS_INVOICE_107.exe – only one level of folders this time, and the executable inherited the numeric part in its name. The mis-spelling almost certainly came from a mis-spelled folder used to compress it in the first place, as most zip programs default to using the folder name for the zip file as well. This file was only 6,656 bytes long and had MD5 checksum of 0C0F2CB1DEB11EC0AA68DEE0933FAACF. Since this is smaller than all the others I am certain it is a significantly different variant, or perhaps is simply broken. Hopefully I can test this later to see what (if anything) it does.

My third and fourth received emails were both called UPS_INVOICE_107.zip and extracted to UPS_INVOICE_107\UPS_INVOICE_107.exe, both 8,192 bytes long and with the same MD5 digest of 58AC24B1F802990387870D3A5CC2312B. The two zip files however were different sizes (4,117 and 4,178 bytes), so they were not direct copies of one another.

All the files made reference to a Russian domain which was registered on the 11th June. I have obscured the domain name and parts of the IP address in the screenshot below, taken from DNSstuff.com

There seems to be an SMTP server running on the same IP as the name servers, presumably to enable the malware to forward copies of itself, or perhaps to send messages home, since it does not seem to be set up to permit relaying.

Anyone have any further information about what this does yet? I’m just setting up a sandbox machine to try and track its infection in a safe environment.

Also, if you have any MD hashes which are different it might be interesting to post them as comments so we see how many flavours of this are out there.

From: United Parcel Service [someone@not_ups.com]

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_Invoice_317.zip

Of course this was extremely suspicious. I had no recent dealings with UPS, the email clearly did not really come from them anyway (it was not even spoofed to appear to be from their domain), and why on earth would they need to send me a file, let alone a zipped one? The misspelling in the subject also smelled of an automated message (although Paket is the correct spelling for the German word for packet). I smelled malware and wanted to find out more.

So I saved the file and had a quick peek with notepad to avoid opening the zip file at all. I could see enough of the content to see that the content of the zip was a single executable called UPS_invoice.exe rather than any kind of document file. Next step – a quick search online to see what particular flavour of nastiness this was. Fire up search engine, search for “UPS_invoice trojan”, “UPS invoice trojan” and other variations. Absolutely nothing at all. No-one else seems to have received this. Very strange indeed. I had a look on Sophos’ website and McAfee’s virus information library but could not find anything resembling this.

I wondered if I had somehow been ‘lucky’ enough to be one of the first to be sent a new malware variant, so I submitted a sample to Sophos.

I checked again later in the day and now I got a single hit for a site discussing this new menace, a blog at the Berlin Technische Universität focussing on hoax information had this post: UPS-Mails mit Malware. So, I was not alone, but it was still odd that no-one else reported this.

Of course, zip files can be opened natively on XP with no additional software, and a zip can be compressed in such a way that it will automatically open or run a file once it has decompressed the zip. This means that simply double-clicking the file could cause the payload to run, and attempt to install and do its damage.

Five hours after submitting my sample, Sophos kindly confirmed that the file did contain malware, identified by them as Troj/Agent-HFU. Coincidentally, the last email to arrive before I received this was another version of the same thing, with an English subject of “UPS Tracking Number 8017161622″ and the attachment was called UPS_Inoice_107.zip this time (yes, that’s “inoice” with no V). So maybe the first one was actually a German variant sent to me – not too farfetched given that I receive plenty of spam in German, usually pump-and-dump stock scams, so I must be on someone’s spam lists.

Still no information about UPS_Invoice.exe

However, there was still no mention of the email subject or payload name. Web searches still found only the TU Berlin article – was this just because the search providers have an inevitable timelag, or something else? I had a read of the Sophos advisory about this and found that they simply don’t mention UPS at all. Nothing. I know back when I wrote my review of Sophos Small Business Edition they used to be pretty good at describing the symptoms of a malware variant so you had some chance of identifying threats. Now the description says only that this trojan affects Windows, and that protection has been available for Sophos customers since 13 July 2008 19:44:42 (GMT). Pretty useless, so I thought I would check if anyone else had any more helpful information by searching for the name “Troj/Agent-HFU” and “Trojan Agent HFU”. The only results were sites which either syndicated Sophos information directly or wrote about new releases and quoted the source. So the blogosphere echoed with the same information I could get from Sophos but nothing else.

What’s in a name?

So, does this mean that Sophos are the only vendor out there offering to spot this new threat with an updated signature? I very much doubt it, I suspect this is just a manifestation of the usual problem of confusion over virus names. When a biologist finds a new species of beetle (or indeed a real-life virus) they get to name it anything they like. They can stick to a conventional Linnaean classification, or name it after their maternal grandmother, a character from Star Trek, or simply a new rude-sounding word. But once they have decided upon a name, everyone else has to use the same one. OK, there are cases where a second person does not realise that their find is not actually new, and they use their own chosen name for a while, but once it is determined that two creatures are in fact just individuals from the same species, the earlier name is used.

Not so for computer viruses. For years I have found it annoying and frustrating that the antivirus vendors seem to enjoy choosing different names for the same malware and then sticking doggedly to them. At least they used to cross-reference each other’s versions to some extent, but now it seems they are deliberately keeping to their own petty conventions. Why not adopt a universal scheme of letters and numbers within which any vendor can take the next one off the list and attach it to an identified executable? If astronomers can do this for the billions of stars and other objects found in outer space, why not for something as specific and tangible as a few dozen lines of code? Even the minor variants introduced by viruses when copying themselves in order to defeat the most primitive signature-based scanners are easily stripped away, and the core program and its behaviour can be identified. Maybe I’m being over-simplistic or optimistic about the levels of cooperation possible between large corporations which answer to their shareholders. Any insiders care to share any information about the practicality or otherwise of such a name-sharing scheme?

PS: A third email with subject “UPS Tracking Number 6360851232″ and an attachment name correctly spelled as UPS_Invoice_107.zip arrived while I was writing this.

It just seems odd how no-one seems to be talking about these with reference to the subject or attachment names. Since it is totally obvious they are not really from UPS, what’s the issue? Has anyone else been receiving many of these?