Is DHL Delivering Virus Attachments?

Shortly after posting about the UPS virus emails, we now see the virus attack campaign has morphed into a DHL version of the same virus attachment routine.

Just in case anyone is confused about the latest round of emails claiming to now be coming from DHL, let’s make it clear that if they contain an EXE and a ZIP attachment then they’re viruses.

Subject lines for this campaign are fairly similar, with a randomized number tacked onto the end to help avoid simplistic spam filters:

  • DHL Office. You need to get a parcel NR.0026
  • DHL International. Please get your parcel NR.7346
  • DHL International. Get your parcel NR.0883
  • DHL Express. Please get your parcel NR.1374
  • DHL Customer Services. Please get your parcel NR.7148
  • DHL Express Services. Please get your parcel NR.0062
  • DHL Express. Get your parcel NR.1289

And the “spoofed” from addresses are pretty consistent as well, claiming to come from a handful of variations on the DHL.com and DHL-Usa.com domains, with random fake names inserted as well:

  • “Support Pearl Dodson” <delivery@dhl-usa.com>
  • “Support Kelli Wesley” <package@dhl-usa.com>
  • “Support Emile Beal” <courier@dhl-usa.com>
  • “Support Barry Mansfield” <parcel@dhl-usa.com>
  • “Manager Ira Mccray” <office@dhl.com>

The email itself is generally consistent as:

Dear customer!

The courier company was not able to deliver your parcel by your address. Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

The shipping label is attached to this e-mail. Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,

DHL Delivery Services.

Finally, the attachments, which carry the actual virus payload, are also easy to spot, claiming to be labels, with one an “exe” and the other a “zip” compressed file:

  • DHL_Label_Nr27481.zip
  • DHL_Label_Nr27481.exe

The virus campaign itself is spread by infected personal computers connected to the Internet worldwide, and as diverse as:

  • static.telewest.net ([82.33.105.134]
  • static.netvigator.com ([218.103.125.136]
  • dyndsl.versatel.nl ([82.173.17.170]
  • dsl.monaco.mc ([88.209.84.80]
  • [190.25.249.84] (helo=corporat190-025249084.sta.etb.net.co
  • [87.111.90.15] (helo=cliente-72119.iberbanda.es)
  • [125.164.85.152] (helo=152.subnet125-164-85.speedy.telkom.net.id)

Opening or executing either of the attachments will result in adding your own PC to the list of infected spam zombies that are distributing this attack.

Here’s a PDF document from the DHL website referencing virus emails spoofed from the DHL.com domain:

http://www.dhl.com/publish/g0/en/new_virus.high.html

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , , , ,

5 Responses to “Is DHL Delivering Virus Attachments?”

  1. BOB MCCOWN says:

    HAVE JUST RECEIVED NEW VERSION OF THIS VIRUS – FORTUNATELY BLOCKED BY MCAFEE. TITLE WAS “DHL DELIVERY PROBLEM NR 26845312” FROM SOMEBODY NAMED LEA MCNAIR AT DATED APR 21, 2010.

  2. ron burks says:

    DHL Manager Lee Bautista [parcel.delivery@dhl.com]

    just recieved this today…..

  3. ericka says:

    received today:
    DHL delivery problem Nr01078. from: DHL Manager Corey Rasmussen

    Dear customer!

    Unfortunately we failed to deliver postal package which was sent on the 5th of
    February in time
    because the addressee’s address is wrong.
    Please print out the invoice copy attached and collect the package at our
    office.

    DHL International Services.

    Fortunately, Mcafee did not allow to download.

  4. Donna Mueller says:

    my antivirus software blocked me from getting this virus thankfully!

    from: Director Tonia Lewis
    Thursday, May 06, 2010 8:29 AM
    subject: DHL Delivery Problem NR.79820
    DHL_invoice_6147.zip

    Hello!

    We failed to deliver the package which was sent on the 22nd of February in time
    because the recipient’s address is wrong.
    Please print out the invoice copy attached and collect the package at our office.

    DHL Customer Services.

    The information transmitted in this email and any of its attachments is intended only for the person or entity to which it is addressed and may contain Cablevision proprietary information, which is privileged, confidential, or subject to copyright belonging to Cablevision. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this in error, please contact the sender immediately and delete and destroy the communication and all of the attachments you have received and all copies thereof.

  5. HarBeK says:

    No anti-virus solution installed here, common sense is great prevention.

    Upon receiving this mail today, my mind stated a few things:

    1. If anyone was sending me something, I would already know about it.

    2. Knowing how many intentions there are on destroying the Internet
    around the world, ( especially from Nigeria… ) ‘bad’ mails can be quite
    easy to spot.

    3. I run the ‘view source’ on any ‘suspicious’ mails for better determination.
    Chances are, the supplied ‘sender’ address hardly ever matches valid company.

    4. If it appears to be ‘ligit’…. good ‘ol net investigation – first. Run some
    searches, see what comes up ( how I arrived here…. ) and you generally find
    your answer.

    Thanks for others posting – hopefully none have been infected. Anti-virus solutions
    are ‘nice’… but most always fail anyhow – paying strict attention to where your
    computer ‘goes’ on the web ( as others may be using your system too… ) and
    having proper ‘block’ solutions will always help avoid ‘nasty’ behaviour infecting
    a system.

    Anyone using a computer merely blindly clicking on things, is bound to end up
    with a ‘very’ troubled computer system.

    I have a package due in tomorrow… shipped UPS not DHL so, atuo-flagged this
    one.