Threat Watch

News & Announcements      Protect Yourself Videos      About Threat Watch

Quick Links Home/Services Email Graphics IP Telephony Learning Zone Multimedia Mobile Devices Network Printing Report Faults Remote Access Service Matrix Software Support Training Threat Watch Unix Video Conf Web Resources Windows ISS Sitemap Index

Lancaster University the Web

Lancs Home >  ISS Home >  Threat Watch

Virus Description - Downloader

Created: 15/07/2008, ... ... 30/07/2008, 05/08/2008

Aliases: [Sophos] Troj/Agent-HFU, [Panda] Agent-JEN

Description

05/08/2008 - New UPS Variant - Subject 'UPS INVOICE NNNNNNNN', attachment: 'RESU8292.zip'.

30/07/2008 - A new virus with many variants, all mentioning 'airlines' and 'tickets' or 'e-tickets' in the subject line or body, is being received by many people on-campus. It is similiar to the previous UPS and Customs virus.

25/07/2008 - New Variant with subject: "Parcel requires declaration".

24/07/2008 - New Variant with subject: "Customs - We have received a parcel from you".

22/07/2008 17:00 - Symantec AntiVirus able to clean virus - Symantec AntiVirus (with virus definition file dated 22/07/2008 rev 3)recognised the UPS Virus (v2) as 'Backdoor.Paproxy' and is about clean it.

22/07/2008 12:30 - ISS begins marking the UPS Downloader as SPAM - ISS started marking all messages: which have 'UPS Tracking number' in the subject line AND which have a 'Zip' file attached as *ISS-Detected SPAM*.

22/07/2008 - Second Wave of UPS Virus Messages - a number of people received fake 'UPS Tracking NNNNNNNNNN' messages with a new virus.

15/07/2008 - a lot of messages purporting to be from UPS containing a 'downloader' were received on-campus.

Variation number five features another 'UPS Undelivered Parcel' typw message:

Subject: UPS INVOICE 267961436 (number varies)

Attachment: RESU8192.zip

Unfortunately we were not able to deliver postal package you 
sent on August the 1st in time because the recipient’s address is 
not correct.
Please print out the invoice copy attached and collect the package 
at our office

Your UPS

Do NOT open the attachment.

Variation number four has a number of variations. All the variations mention airlines, tickets or e-tickets. Here is anexample:

Attachment: E-ticket_N7399294.zip

From: Dora Hawkins Spirit Airlines [mailto:teeq@accelatech.com]
Sent: 25 July 2008 16:20
To: Spencer, Abby
Subject: Your order from {airlines} N8535706

Greetings,
Thank you for using our new service "Buy airplane ticket Online" 
on our website.
Your account has been created:

Your login: Hecu
Your password: pass5IV0

Your credit card has been charged for $498.16.
We would like to remind you that whenever you order tickets 
on our website you get a discount of 10%! Attached to this 
message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, 
and you are set to take off for the journey!

Kind regards,
Dora Hawkins
Spirit Airlines

Variation number three of the 'UPS Tracking' virus does not seem to come from UPS but seems to come from 'Customs'.

Attachment: Tax_Invoice.zip(21 KB)

Subject: Customs - We have received a parcel for you

Good afternoon,(varies)

We have received a parcel for you, sent from France on 
July 9. Please fill out the customs declaration attached 
to this message and send it to us by mail or fax. The 
address and the fax number are at the bottom of the 
declaration form.

Kind regards,
Elvia Atkins (varies>
Your Customs Service

Example Of 'UPS Tracker' Virus (versions 1&2) Message:

Subject: UPS Tracking Number NNNNNNNNNN (number varies)
Body:

Unfortunately we were not able to deliver postal package 
you sent on July the 1st in time because the recipient’s 
address is not correct.
Please print out the invoice copy attached and collect 
the package at our office

Your UPS

Damage

If you open the attachment your machine will be infected with a range of unpleasant malware that can include:

• remote control software
• Spam replay.
• Spyware and Adware.

Occurrence

Attacking computers on campus.

Advice

Do not open the attachment (or any unknown attachments). Keep Windows (& Outlook) up-to-date - see Updating Windows

Further Information

For further about the UPS downloader:

• Backdoor.Trojan - Symantec's name for another variant.
• Infostealer.Banker.C - Symantec's name for another variant.
• Trojan.Wsnpoem - Symantec's name for UPS Virus (v3 - 'Customs' variant)
• Backdoor.Paproxy - Symantec's name for UPS Virus (v2 22/07/2008)
• Downloader.Diliv - I believe this is the official Symantec name for the first UPS Downloader (v1 15/07/2008).
• Agent.JEN - Panda AV on first UPS Downloader.
• Panda Blog on the first UPS downloader
• UPS message (1st wave)
• Sophos Info

Threats

 

Help & Tools

©Lancaster University:   Disclaimer     Code of Conduct     Privacy Statement     Freedom of Information    

Accessibility Help