Search this blog

Wednesday, October 26, 2011

Fake US Postal Service emails now spread System Restore and other viruses

It has recently come to our attention that fake US Postal Service e-mails are now being actively used as quite a new spam-spreading innovation technique aimed at promoting and distributing viruses and malware programs like System Restore, System Recovery and other similar rogues. You should realize that all such spam e-mails have nothing to do with real US Postal Service headquartered in the US. This is just the next trick used by cyber frauds to gain you trust no matter what it takes. These e-mails contain the new variant of Dofoil Trojan horse virus. Keep in mind that this worm also tends to download other virus components, such as trojans, Fake AVs and rogue security programs. The e-mail format used for this spam campaign typically has the below-mentioned structure.

Subject variations:

  • USPS Shipment Status IDxxxx
  • USPS service. Get your parcel IDxxxx
  • USPS Invoice copy IDxxxx
  • USPS Tracking number IDxxxx


Post_Label#id[Random Digits].zip

You should realize that the ZIP file attachment contains the Trojan exe-file that masks itself under Microsoft Word icon as shown above. The very fake US Postal Service e-mail looks similar to the one shown above. As you see, it contains the following fake information which should not be trusted by you:

Hello, Your parcel has arrived at the post office on [date]. Our Driver was unable to deliver the parcel to your address. To receive a parcel you must go to the nearest USPS office and show your post label. Label is attached to this letter. Thank you. USPS Customer Services.

Once the user decides to download and execute the infected executable inside the zip attachment the following activity shall be performed:

  • Creating the process SVCHOST.EXE and injecting its code.
  • Creating a copy of itself as %application data%\csrss.exe and deleting the original exe-file.

The executable would download other malwares, such as:

  • %windir%\system32\msrepl40A.exe
  • %windir%\system32\wbcache8.exe
  • sl20.exe
  • setup.exe
  • 574-01.exe
  • sssss.exe

Moreover, the following registry entries would be added:

  • Key: HKEY_CURRENT_USER\Software\gtwbetugt
  • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Value: Epsilon Squared Data:"%Application Data%\csrss.exe"
  • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Value: TKYDMYTE Data:"C:\WINDOWS\System32\wbcache8.exe"
  • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Value: Dbft Data:"C:\WINDOWS\System32\msrepl40A.exe"

Network Activity detected:

HTTP GET Requests:

  • http://live{DELETED}
  • http://suteki{DELETED}
  • http://image{DELETED}

DNS Requests detected:

  • http://live{DELETED}

Hosts File Modification detected:

This malware adds the following entries in order to block access to torrent websites.


The summary of the aforesaid information is as follow: please be careful with such fake US Postal Service e-mails. Check whether they are indeed authenticated by US Postal Service or not before opening any content inside of them, especially when it comes to strange zip attachments. Finally, if your computer has been infected with the virus after opening such bogus US Postal Service email attachment please follow the removal guidelines for this virus provided in the video section below.

malware removal tool

No comments:

Post a Comment

Search this blog