Is UPS Delivering Virus Attachments?

If you or anyone in your organization is confused about the latest round of emails claiming to be from UPS concerning delivery notices, let’s make it clear that if they contain an EXE and a ZIP attachment then they’re most certainly viruses.

Subject lines for this latest campaign are fairly similar, with a randomized number tacked onto the end to help avoid simplistic spam filters:

  • UPS Tracking Number 1890244.
  • UPS Delivery Problem NR.34839
  • UPS Delivery Problem Number 74426.

And the “spoofed” from addresses are pretty consistent as well, claiming to come from 3 variations of the UPS.com domain, with random fake names inserted:

  • UPS Manager Percy Peck <tracking.support@ups.com>
  • UPS Manager Norris Tyson <support@ups.com>
  • UPS Support Wanda Bates <tracking@ups.com>

The email itself is generally consistent as:

Dear customer!

Unfortunately we failed to deliver postal package you have sent on the 1st of June in time because the addressee’s address is incorrect.
Please print out the invoice copy attached and collect the package at our department.

United Parcel Service of America.

Finally, the attachments, which are the actual virus payload, are also easy to spot, claiming to be invoices, with one an “exe” and the other a “zip” compressed file:

  • UPS_invoice_NR15732.exe
  • UPS_invoice_NR15732.zip

The virus campaign itself is spread by infected personal computers connected to the Internet worldwide, and as diverse as:

  • dynamic.hinet.net
  • in-addr.btopenworld.com
  • adsl.cybercity.dk
  • web.vodafone.de

Opening or executing either of the attachments will no doubt result in adding your own PC to the list.

Here’s a PDF document from the UPS website referencing some older variations of spam, fraud and virus emails spoofed from the UPS.com domain:

http://www.ups.com/media/en/fraud_examples.pdf

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , , , ,

15 Responses to “Is UPS Delivering Virus Attachments?”

  1. Hi,

    I unintentionally downloaded the file, as I had a package sent out and wasn’t sure the address was correct, or how/which company it was shipped through. Now my outgoing e-mail account is blocked from sending out (probably because spam is being sent to my computer under my nose.

    Can anyone help? I’m running MacScan (Work on a Mac, not PC) to see if that locates the problem.

    Thanks,

    Bryan

  2. If you’ve only downloaded the file, then you’re likely still okay. However, if you’ve “clicked” and ran/opened the attachments then you’re no doubt infected. While we don’t provide tech support for these cases (we’re a anti-spam email filtering service) we can suggest.

    If you’re running MacScan (and it’s updated) then that sounds like the logical course of action.

    If you can’t get the system clean, then you may want to consider taking the additional step of running “Archive and Install” to put your system back to it’s original condition.

    For similarly infected Widows users we can suggest using “System Restore” to roll-back your system to a time prior to the infection is a good first step.

    Then immediately download, install and update a good virus scanner. We like to recommend AVG from Grisoft because you can download a free version instantly, and more importantly, it doesn’t cause all the system issues and software conflicts we hear so much about from clients using Symantec and McAfee products.

    You can download AVG products from:
    http://www.avg.com/us-en/download?prd=afg

  3. casey ellis says:

    hey brian, the payload of the zip file is a windows executable which, even if clicked, should not run on mac osx.

    however, if you have parallels or vmware installed osx could be configured to run the file in a virtual machine.

    that said, it is a virus and shouldn’t be clicked on even under osx. better safe than infected.

  4. vulture says:

    another variation
    Subject: UPS Delivery Problem NR.31263129‏
    From: Postal Manager Mindy Reaves (support@ups.com)

  5. Jasmine Coleman says:

    Thank you so much for this! I do a lot of ebay purchases in December, and I got:

    Postal Support Audra Blake (support@ups.com)
    Dear customer!

    We were not able to deliver the postal package sent on the 13th of December in time
    because the recipient’s address is not correct.
    Please print out the invoice copy attached and collect the package at our office.

    United Parcel Service of America.


    I just googled support@ups.com and found this page. Thank you for the warning!

  6. Louise Henandez says:

    Hi,

    I received this:

    Dear customer!

    Unfortunately we were not able to deliver the package sent on the 24th of December in timebecause the recipient’s address is erroneous.Please print out the invoice copy attached and collect the package at our office.

    United Parcel Service of America.

    from help@ups.com

    I googled help@ups.com and landed on this page..

    thanks so much!

  7. Anthony Szostak says:

    I keep getting these messages.ups manager mervin rice ups document79337 zip.and ups delivery problem NR 12850 .I have never opened any of them. my anty virus tells me not to, so i delete them. regards.

  8. Debra Comer says:

    A message was stopped by my Internet Provider due to them detecting a virus. They said the message was: Postal Manager Darius Sams
    UPS DELIVERY PROBLEM NR 30455
    I didn’t open it but I am concerned that there may be a package that won’t be delivered to my address and I am expecting a package. How can I find out if this is legitimate and if so, I need to get this delivered.
    Thank you, Debra Comer

  9. With that subject line and your ISP blocking it, there’s not much worry about it being legitimate.

    But if your ISP will deliver it to you then you can easily tell if it’s a virus based on the names of the attachments (as noted in our blog post on the topic).

  10. Jimy says:

    I’ve got this email

    Hello!

    We were not able to deliver the package which was sent on the 25th of February in time because the recipient’s address is inexact.
    Please print out the invoice copy attached and collect the package at our office.

    DHL Global Services.

    with an attachment: UPS_invoice_4228.zip.txt (145 B)
    when I opened it I got a text said “This attachment was removed.”

    Does this mean my PC has been infected or our company anti-virus removed the virus from the email and replaced with a text file with mentioned msg.

  11. Sounds like your anti-virus software removed the original attachment which protected your computer.

    It then replaced the “UPS_invoice_4228.zip” file attachment with a short text message attachment named UPS_invoice_4228.zip.txt” to inform you that it removed the original file.

    So, your AV Software did what it’s supposed to, but it could certainly have a more useful/informative message.

  12. Jae says:

    Hi I received the same email from DHL twice, I initially tried to open the attachment from my IPhone and it didnt work.

    I receive emails every day, like 10 – 20 times per day since i first tried to open the attachment on my iphone but didn’t think it was related.

    So today, I stupidly opened the DHL email from my MacBook, and then downloaded the attachments. They were in a Zip file and so i extracted the file. When i opened it, it came up in like a note pad with all chinese or japanese writing. I then closed it and deleted it from “saved attachments” and the trash bin.

    The 20 emails i receive per day are from all different addressed (yahoo.com, hoss.com). I am not sure if i now have the virus? If i do then how do i know?

    I called my ISP and got a spam filter put on my account but i dont know if this will fix the issue. How do u know if you have the virus and how do you get rid of it?

    .

  13. Running a good virus scanning software is the only way to be absolutely sure, (we like AVG http://www.avg.com/us-en/homepage) but if you’re only running a MacBook then you’re safe from this particular infection, as it, like most, targets the Windows operating system.

    And, don’t be too concerned about the volume of these being sent to you as an indication that you’re infected.

    It might mean that users you’ve corresponded with in the past are infected, Since your address is in their address book you are getting spammed with these. But the volume is no reflection on you or your system.

    Remember, re

  14. Sarah says:

    I got the same email and thank you for having this website! I figured it was a virus because it was posted in my spam file. lol. Fortunently I didn’t click on it an

  15. Mr. Trinborg says:

    Hi :)
    I got a mail from this ‘United Parcel Service (adsupport3@ups.com)’ , claiming something like this :

    ………..blablabla……..

    Dear customer.

    The parcel was sent your home address.
    And it will arrive within 7 business day.

    More information and the tracking number are attached in document below.

    Thank you.
    © 1994-2011 United Parcel Service of America, Inc.

    I knew that I wasn’t waiting for any deliveries, so therefor it had to be something malicious…
    So I Googled it, and end ended up here :)

    Thanx:)

    I will report as spam at ones!