a new virus ? upsnotify

[mrreg]

i found this email in my spam folder, from upsnotify.rar.  not waiting on a parcel from the states, i avoided clicking on any links and got suspicious of it. so checked it out on google and well, i think it's a brand new virus included in the email,,, a variant of w32:pilleuz . i just deleted it to be safe.

http://news.softpedia.com/news/Fake-UPS-Email-Campaign-Serves-Malware-Cocktail-191161.shtml

[Lisandro]

You could have submitted it to www.virustotal.com
You could have added to avast Chest and send them helping improving detection.

[mrreg]

that's easy for you to say. honestly, i'm a mechanic, not terribly clever @ computing.

[mrreg]

i'm sort of wondering if i'm all that good a mechanic too, lately.

[Lisandro]

Don't worry mrreg.
Thanks for posting and sharing.
Hope the programmers take a look on it.
Enjoy the forum!

[polonus]

Hi Tech,

Avast detects, here is the virustotal for this malware: http://www.virustotal.com/file-scan/report.html?id=ef5f76e1b20c2083469fbe7e4de4ec9c06689ee105274b1a79c9cadbd23d54ae-1300884778

polonus

[Lisandro]

Indeed, the report increased from 17 to 34... Thanks Polonus.

[DavidR]

This UPS notify thing isn't new (avast has been detecting most of these as trojan-gen for some time), just another variant on a common theme, social engineering trying to get you to open an email attachment. This also goes for the other fake emails for the express parcel carrier of your choice.

Which if you have any common sense you would know the email is fake and wouldn't open the email much less any attachment. Lets assume for a moment that you were even expecting a package, if there was a problem with delivery, etc. how the h*ll would they know your email address.

Unfortunately there must be enough people who fall for this or they wouldn't do it.

[polonus]

Hi davidR,

mmreg reported the issue here, and good, again users were warned against this, but with a bit of googling he could have found out that avast is already protecting against this, as I have demonstrated in my earlier posting. People, use that "search" function to a good end, it can help you to get so many right answers,

polonus

[apeka]

Hello,

I'm getting the same UPS message with attachement every other day.. Problem is, that upon avast detecting this as a possible Trojan warning and moves it to the chest, Outlook 2007 stops working and closes, so I'm not able to delete this message. It's also remarkable that when this happens, all my incoming mails are duplicated in the inbox..Like it's echoing back and forth with the mail server..
The only work around I could think of, is temporarily close the avast mail shield (Outlook keeps stable) and then remove the suspicious message and attachment by hand form the inbox...After that I reenable the shield again..
Anybody knows of a better, permanent solution to get rid of this annoying stuff? (Besides changing my e-mailaddress of course :-))
Thanks

[polonus]

Go to the SAS site and download their free software from: http://www.superantispyware.com Update and run an in depth scan. Being free, you must perform a manual update daily.

According to independent security consultant Dancho Danchev, the threats associated with this attack include a fake antivirus, a Gbot backdoor and a variant of W32.Pilleuz which currently has a low detection rate, source:
http://ddanchev.blogspot.com/2011/03/spamvertised-united-parcel-service.html

The fake-av in the coctail changed the following registry keys which, when the malware is removed, may prevent internet access from functioning normally, so what to do additionally?


1. Temporarily Disable System Restore
2. Update the virus definitions.
3. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all infected files
5. Delete/Modify any values added to the registry. [how to edit registry]

Navigate to and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Taskman” = “%SystemDrive%\RECYCLER\[SID]\sysdate.exe”

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:50370

HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
ProxyEnable
0x00000001

6. Exit registry editor and restart the computer,
These Internet settings will likely need to be restored, through this MS fix: http://go.microsoft.com/?linkid=9664547

polonus

[apeka]

Wow.. That seems serious..
I never openened the suspected message though.. Does this still mean that my pc is infected? I'm not familiar with these kinds of actions and don't know if I dare to do this... Isn't there a simple way to fix this (not reinstalling Windows)?

[DavidR]

So long as you didn't open the email or run the attachment you should be good. You do however need to find the offending email if it is in Outlook, it will most likely also have *** VIRUS *** or similar placed in the Subject and avast would normally have removed the attachment.

Search for virus in the subject and see if that relates to the same time frame and delete it without opening the email. Then clear the deleted items folder and compact your folders.

[apeka]

I never opened the message or the attachment. Just selected it in Outlook and deleted it right away.. Problem is that every so often, this message is received again and avast blocks it (as it should). This crashes Outlook (see my previous posts here). At the moment the message is moved to the avast virus chest and I let it sit there. Just wondered if I could find a permanent solution for not crashing Outlook upon receiving this..

[DavidR]

I don't know why it crashed Outlook, unfortunately I can't help with Outlook as I don't use it.

I don't know what your Outlook settings are especially since it also has the avast plug-in and an anti-spam plug-in I believe. So I don't know if there would be any conflicting interaction in this. So that would have to be investigated by someone with Outlook experience.

Me, I have used MailWasher Pro for many years, a paid anti-spam which say this as spam and I noticed it as most likely malicious and could have flagged it for deletion at the email server end. That way it wouldn't have been downloaded to trigger avast.