FedEx email scam Trojan is back

Bob D · #1 May 26th, 2012, 10:58 AM

I rarely receive spam, and it's been a long long time since I received one with a malware payload. But lately, I'm seeing a spate of these things.
I do get frequent FedEx notifications, but these did not pass the "smell test" (my first line of malware defense).
Attached innocuous appearing zip file contains an exe. Suspect it contains malware as described:
http://www.snopes.com/computer/virus/ups.asp
http://www.kenkai.com/seo-blog-article-309.htm

Quote:

From: "FedEx Service" <postal@fedex.com>
To: mylegitimate email address
Subject: Your package is available for pickup
Date: Sat, 26 May 2012 13:01:37 +0200
Reply-To: "FedEx Service" <postal @ fedex.com>
Sender: <someperson@perseo.hostingplan.net>
X-Mailer: MagicalMailStandardEditionVersion1.0.1REL-1

Notification,

Our company’s courier couldn’t make the delivery of parcel.
Status:Wrong delivery address.

LOCATION OF YOUR ITEM:Boston
DELIVERY STATUS: not delivered
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL:U667559489NU
FEATURES: No

The label of your parcel is enclosed to the letter.
Print your label and show it in the nearest post office of USPS
You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for attention.
FedEx Logistics.

[FedEx_Label_ID_Order_83-27-4533US.zip

#2 May 26th, 2012, 11:34 AM

Hey, I got that one too! That's the one that "broke" VirusTotal.

I wonder what sort of trojan that is.

Bob D · #3 May 26th, 2012, 12:28 PM

Quote:

Originally Posted by Gullible Jones

Hey, I got that one too!...

Suspect our addresses were harvested by some manner of malware on someone else's box. Perhaps a contact that you / I have in common (looking at you location).

#4 May 26th, 2012, 01:12 PM

I have some info about the trojan now...

- It is a fake AV, "Smart Fortress 2012."

- It does not appear to install a rootkit, just runs from the application data folder for all users. The program running from the application data folder is apparently identical to the executable in the zip attachment.

- It blocks browsers other than IE from starting. For IE it acts as a local proxy at port 1036. The proxy prevents you from browsing at all until you register Smart Fortress by giving your credit card number to the scammers.

- It does not appear to run at all in Safe Mode.

- Interestingly, IE works fine in safe mode despite the proxy setup, and the IE proxy settings appear unchanged. I guess it's setting up the proxy some other way?

- It reports to an IP apparently located in Beijing. (PM me if you want the IP address.)

- Other blocked applications include Gmer (with any file name), Process Explorer, and Process Monitor. Process Monitor appears to load its driver anyway, but the GUI won't appear. Command prompts are also blocked (well, sort of; it obviously lets them start and then kills them).

- However, nothing is blocked unless the Smart Fortress tray icon is loaded. No icon -> everything runs.

- Also, Online Armor (trial version) can block the scareware from executing on startup. It really does not look terribly advanced.

In conclusion, it looks like a bog-standard fake AV...

Daveski17 · #5 May 26th, 2012, 03:02 PM

I've seen something similar, except there was no mention of FedEx. There was a link inviting me to check on the 'package' that had been delivered to the Post Office. I was suspicious for a variety of reasons, notwithstanding the weight of the 'package' wasn't in metric. According to VirusTotal it was a known trojan link.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search