Shortly after posting about the UPS virus emails, we now see the virus attack campaign has morphed into a DHL version of the same virus attachment routine.
Just in case anyone is confused about the latest round of emails claiming to now be coming from DHL, let’s make it clear that if they contain an EXE and a ZIP attachment then they’re viruses.
Subject lines for this campaign are fairly similar, with a randomized number tacked onto the end to help avoid simplistic spam filters:
- DHL Office. You need to get a parcel NR.0026
- DHL International. Please get your parcel NR.7346
- DHL International. Get your parcel NR.0883
- DHL Express. Please get your parcel NR.1374
- DHL Customer Services. Please get your parcel NR.7148
- DHL Express Services. Please get your parcel NR.0062
- DHL Express. Get your parcel NR.1289
And the “spoofed” from addresses are pretty consistent as well, claiming to come from a handful of variations on the DHL.com and DHL-Usa.com domains, with random fake names inserted as well:
- “Support Pearl Dodson” <firstname.lastname@example.org>
- “Support Kelli Wesley” <email@example.com>
- “Support Emile Beal” <firstname.lastname@example.org>
- “Support Barry Mansfield” <email@example.com>
- “Manager Ira Mccray” <firstname.lastname@example.org>
The email itself is generally consistent as:
The courier company was not able to deliver your parcel by your address. Cause: Error in shipping address.
You may pickup the parcel at our post office personaly.
The shipping label is attached to this e-mail. Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
DHL Delivery Services.
Finally, the attachments, which carry the actual virus payload, are also easy to spot, claiming to be labels, with one an “exe” and the other a “zip” compressed file:
The virus campaign itself is spread by infected personal computers connected to the Internet worldwide, and as diverse as:
- static.telewest.net ([126.96.36.199]
- static.netvigator.com ([188.8.131.52]
- dyndsl.versatel.nl ([184.108.40.206]
- dsl.monaco.mc ([220.127.116.11]
- [18.104.22.168] (helo=corporat190-025249084.sta.etb.net.co
- [22.214.171.124] (helo=cliente-72119.iberbanda.es)
- [126.96.36.199] (helo=152.subnet125-164-85.speedy.telkom.net.id)
Opening or executing either of the attachments will result in adding your own PC to the list of infected spam zombies that are distributing this attack.
Here’s a PDF document from the DHL website referencing virus emails spoofed from the DHL.com domain:
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.