System Status
10/12/2010Fake UPS Spam E-mails Spread Malware
Security researchers at Vietnamese security vendor BKIS (Bach Khoa Internet Security) have warned against a new
series of spam emails impersonating United States Postal or UPS service. These spam e-mails target innocent netizens.

This spam e-mail comes with the subject lines "USPS Delivery Problem NR#######" (# is a random digit) and
is spoofed, highlights BKIS.

The fake email informs the recipient that the UPS could not deliver the postal package sent on September 19, 2010
in time due to some mistake in the address of the package receiver. Further, the spam e-mail recipient is asked to
take a print out of the attached shipment label [USPSLabel.doc] and collect the parcel from the UPS office.

To give an impression of a genuine e-mail, the spam e-mail concludes with an official signature of the USPS.

According to BKIS, the spam e-mail attachment actually contains a variant of Oficla Trojan. Oficla is also called Sasfis
by some security vendors. It belongs to the family of downloader-type Trojans generally used as a distribution
platform for other malware; especially rogue anti-virus (AV) programs.

Commenting on the issue, Nguyen Van Sao, Malware Researcher at BKIS, said that the Trojan dropped a file called
bfky.ojo in the system32 folder and added it to the [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]
registry key to start on every system reboot, as reported by Softpedia on September 28, 2010.

BKIs also highlighted an important part of this spam e-mail campaign. To bypass users' spam filter, it contains an
image file rather than a text file. BKIS further states that unfortunately, not many AVs have been able to identify the
computer virus spread by the spam e-mail.

As per security experts, these types of Oficla distribution campaigns are one of the main factors for an increase in
the number of e-mails enclosing malicious attachments during recent months.

The security firm suggests users to be more cautious while opening e-mail attachments from unknown senders.
Besides, users are advised to be wary of e-mails with unauthenticated content to prevent incidents of malware attacks.

Back to System Status