UPS Invoice Notification spam campagin (Nov. 23, 2011)

With the coming of holiday season, SonicWALL UTM Research team observed the surge in the online threats. Reports of email spam campaign containing malware attachment pretending to be coming from United Parcel Service (UPS) continue to flood email inboxes.

Computer users are advised to take precaution in opening unsolicited emails especially from unknown sender. UPS also hosted this presentation to raise awareness about UPS related scams.

The behavior of this malware is further discussed below:

Subject: United Parcel Service - Invoice is available

Attachment: UPS-Billing-Invoice-Notification-.zip

Message Body:

UPS Billing Center

This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

A new invoice is now available in the UPS Billing Centre.
Please refer to attached file for more details

Please visit the UPS Billing Centre to view and pay your invoice.

Coming Soon!
Effective January 2012, the UPS Billing Centre can be accessed using your My UPS ID.
Current UPS Billing Centre users will be prompted to convert to a My UPS ID. Learn more

Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

(c) 2011 United Parcel Service of America, Inc., the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

Files Created:

• Application DataSomonekpos.exe - copy of original malware - blocked as GAV:Kryptik.VUY
• Application DataAfisaawqide.myx - data file
• Application DataAfisaawqide.dat - data file

Harvests email addresses:

• Microsoft Address Book
• Internet Browser Cookies

Checks for installed client FTP:

• FlashFXP
• GhislerTotal Commander
• ipswitchws_ftp
• FarPluginsftphosts
• Far2Pluginsftphosts
• martin prikrylwinscp 2sessions
• ftpwarecoreftpsites
• smartftpclient 2.0settingsgeneralfavorites

Network Activity:

DNS Request: nos{removed}n.ru

Post Request: http://nos{removed}n.ru/become.php

Virtual Machine Detection:

Key: HKLMSystemCurrentControlSetServicesDiskEnum
Value: 0
Data:
• IDEDiskVMware_Virtual_IDE_Hard_Drive
• IDEDiskVBOX_HARDDISK

VNC Server Detection:

Tries to connect to VNC server and waits for the following response:
• RFB 003.003

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV:Kryptik.VUY (Trojan)