DHL phishing

#1
Email arrived as copied below, with an attachment "DHL_invoice_6147.zip" which my AV filter recognised as having a virus in it and removed. As it is removed I can't identify the virus, but it is posted here for a warning.

Please do not open the attachment, as you will be exposed to the virus infection.

================================

X-SID-PRA: Director Jaime Floyd <parcel@dhl.com>

Received: from 189.88.1.206 by mail02.move.com; Thu, 6 May 2010 10:10:16 -0300
From: "Director Jaime Floyd" <parcel@dhl.com>
To: <**********@********.***>
Subject: DHL Delivery Problem NR.47097
Date: Thu, 6 May 2010 10:10:16 -0300
Importance: Normal
Return-Path: <turban@move.com>



Dear customer!

We were not able to deliver your postal package which was sent on the 6th of February in time
because the addressee's address is incorrect.
Please print out the invoice copy attached and collect the package at our department.

DHL Customer Services.


===============================

WHOIS - 189.88.1.206
owner: EMBRATEL-EMPRESA BRASILEIRA DE TELECOMUNICAÇÕES SA (10525)
% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/, respectivelly to cert@cert.br
% and mail-abuse@cert.br
 
Last edited by a moderator:

Garreg Ddu

Gweinyddwr
Staff member
#2
THIS ALERT HAS BEEN UPGRADED TO A DEFINITE MALWARE INFECTION ATTEMPT.

DO NOT CLICK ON THE ATTACHMENT TO THIS EMAIL, AS IT WILL RUN A PROGRAM TO DOWNLOAD A MALWARE INFECTION.




This one nearly caught me out, as I am expecting a delivery of dog food by DHL. However, being aware of the dangers I did an analysis of the email and checked everything. It does NOT come from DHL, but is part of an attempt to set up a malware botnet or similar nasty.
This is now definitely proven to be a new Malware infection attempt, related to a resurfacing of the "BREDOLABS" botnet.

Please read the next reply for more information.


From DHL Logistics Services Wed Nov 3 01:31:22 2010
Return-Path: <manager.id9575@dhl.com> The header has been forged, creating the impression it is from DHL, but....

X-Originating-IP: [65.202.244.251]

65.202.244.251 = FABER ORTHODONTICS Hatboro United States

Received: from 127.0.0.1 (HELO dhl.com) (65.202.244.251)
by mta1000.mail.ac4.yahoo.com with SMTP; Tue, 02 Nov 2010 18:31:32 -0700

From: "DHL Logistics Services" <manager.id9575@dhl.com>
To: <*************@********>
Bcc: <************@******.*****>
Subject: Track your parcel NR28867
Date: Tue, 02 Nov 2010 21:31:22 -0400




Wed, November 3, 2010 1:31:22 AM
Track your parcel NR28867
From: DHL Logistics Services <manager.id9575@dhl.com>
Add to Contacts
To: ********@*******.***

DHL_label_id.Nr1522.zip (30KB) The attached file - it is a "WINZIP" compressed file, with a .exe in in. It is being submitted to the correct places for detailed analysis.


--------------------------------------------------------------------------------

Dear client

Your parcel has arrived at the post office on October 05 <-- Why a post office if it is DHL - flag #1
Our Driver was unable to deliver the parcel to your address. DHL always put a "Tried to Deliver" note through your letter box, with contact details - flag #2
To receive a parcel you must go to the nearest DHL office and show your mailing label. No, you telephone the DHL depot and arrange re-delivery- flag #3
You need to print mailing label, and show it in DHL office to receive the parcel. No native English speaking manager would write a sentence like this - flag #4

Thank you for your attention.
DHL Services.



And at the bottom of the email message, hidden by use of a white font colour, was this additional extra bit.




But the Fates had undertaken to act as mediators and make me the hero of a romance which ended so speedily, and in a manner which, though disagreeable, was so far from tragical, that if I desired to weave the story of my own life into a novel I should be ashamed to use the extensive apparatus employed by Destiny.Rather more than a week had passed since the last performance of The Robbers, when one day, late in the afternoon, the streets were filled with uproar. A fire had broken out, and as soon as Professor Braunes lesson was over I joined the human flood. The boiler in the Kubisch cloth factory had burst, a part of the huge building near it was in flames, and a large portion of the walls had fallen. When, with several school-mates, I reached the scene of the disaster, the fire had already been mastered, but many hands were striving to remove the rubbish and save the workmen buried underneath. I eagerly lent my aid. Meanwhile it had grown dark, and we were obliged to work by the light of lanterns.
 
Last edited:

Garreg Ddu

Gweinyddwr
Staff member
#3
Feedback from McAfee Virus Laboratory.

From: <Virus_Research@avertlabs.com>
Sent: Wednesday, November 03, 2010 1:50 PM
To: <**********.**********@*****.***>
Subject: 6308370 - Possible malware threat in email.

McAfee Labs - Beaverton
Current Scan Engine Version:5400.1158
Current DAT Version:6154.0000
Thank you for your submission.

Analysis ID: 6308370

File Name....................Findings...................................Detection.........................Type..........Extra
--------------------|------------------------------|----------------------------|-----------|-----
dhl_label.exe...........|new detection...................... | bredolab.gen.c.................|Trojan......|yes
email.txt.................|inconclusive..........................|.......................................|...............|no

Attached is a file for extra detection, which will be included in a future DAT set. We
have detected a virus or trojan that can only be detected and removed with the
attached EXTRA.DAT and current scan engine. The EXTRA.DAT must be used with the
current scan engine, and we highly recommend you update to the most current DAT
release. If you are not seeing this with the product you are using, please speak with
technical support so they can help you determine the cause of this discrepancy.

inconclusive [email.txt]

Upon analysis the file submitted does not appear to contain one of the 200,000 known
threats in the AutoImmune database. The file may contain a new threat, or no code
capable of being infected. Your submission is being forwarded to an McAfee Labs
Researcher for further analysis. You will be contacted by McAfee through e-mail with
the results of that analysis.

new detection [dhl_label.exe]

The file received contains a new virus or trojan. It is recommended that you update
your DAT and engine files and scan your computer again.

To find detailed information about viruses and other malware, please review McAfee
Labs' Virus Information Library:

http://vil.mcafeesecurity.com

You may wish to submit future malware samples to:

https://www.webimmune.net/default.asp

It may be the best option if you are having a problem with gateway scanners stripping
your sample submission.

If you believe your computer is infected, but are unsure which files should be
submitted to McAfee Labs for review, please visit:

http://vil.mcafeesecurity.com/vil/submit-sample.aspx

For other virus-related information, please review McAfee Labs' homepage at:

http://www.mcafee.com/us/threat_center/default.asp

Support -

Virus Research accepts file-samples for analysis and possible inclusion into AV
signature DAT sets. We are also prepared to answer general virus questions. All
product-related questions and comments can be addressed through technical support and
customer service, including:

* Product installation and update questions
* Product usage questions
* Specific operating system/version questions
* Assistance with detection and cleaning or removal of viruses or trojans

Use the following link to update your DAT and scan engine to the most current version:

http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Use the following links to reach online technical support for McAfee products -

Corporate Customers:

http://www.mcafeesecurity.com/us/support/

Single User/Retail Customers:

http://www.mcafeehelp.com

Note -

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,



McAfee Labs
 

basenji

Administrator
Staff member
#4
I reached the scene of the disaster, the fire had already been mastered, but many hands were striving to remove the rubbish and save the workmen buried underneath. I eagerly lent my aid. Meanwhile it had grown dark, and we were obliged to work by the light of lanterns.
An extract from 'The Story of My Life from Childhood to Manhood' by Georg Ebers, a German. In the golden days of diploma mill spams (when University Degree Program was more active than today), extracts from various 19th century novels were inserted at the end of the emails in this way - often as an image, not text - to confuse spam filters. I guess it's an attempt to make a spam bot unrecognisable.
 
#5
DHL Scam with a different hidden message

11/3/10 received the DHL scam already documented here, with the usual "DHL Label" which is really an EXE. But this one has a different hidden message, kind of ominous for its religious radicalism. It's done in white font but exposed thru highlighting - "hidden" message below. Anyone seen this?


"He ordered all to pray that the Lord might lift up His Church, protect it from the wiles of the enemy, extirpate heresies, grant peace and true unity among Christian princes, and mercifully avert disasters already coming near.But if the language of Paul V. was measured and decent, the swarm of Jesuit pamphleteers that forthwith began to buzz and to sting all over Christendom were sufficiently venomous. Scioppius, in his Alarm Trumpet to the Holy War, and a hundred others declared that all heresies and heretics were now to be extirpated, the one true church to be united and re-established, and that the only road to such a consummation was a path of blood."
 

Garreg Ddu

Gweinyddwr
Staff member
#6
Hi Bruce Davey,

:welcome: to AFI and thank you very much for your post.

If you still have the email, is it possible for you to post the headers here, so that we can get more information about where it is coming from? Please check out the threads at How to find email headers and Basic email header analysis tools - a short tutorial for how to do this.

You may wish to submit the email and attachment to the support team at your own AntiVirus software provider, as well. You should be able to find out how to do this on their support web-site.

Thank you very much,

Garreg Ddu
 

Garreg Ddu

Gweinyddwr
Staff member
#7
Confirmed by Sophos - and detection/removal instructions.

From: Sophos Support
Sent: Wednesday, November 03, 2010 7:44 PM
To: ********@********
Subject: [#2536112] RE: Sample submitted for analysis (IDENTITY CREATED)


Hello,

Thank you for contacting Sophos Technical Support.

**Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.**

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.


---

To create a new Full System Scan to clean up threats

You should turn off System Restore before running a Full System Scan. Go to Start > Control Panel > Performance and Maintenance. Double-click System and then select the System Restore tab. Select the Turn off System Restore on all drives checkbox, then click Apply and then Yes.
Right click the blue Sophos shield on the taskbar and choose "Open Sophos Anti-Virus"
Click on "Scans". Give the scan a name, ensure you have checkmarked all of the local hard drives and removable drives under My Computer and click on "Configure this scan" at the bottom.
On the Options tab, ensure that Scanning level is set to "Normal (recommended)". Under Scanning options, ensure that "Scan all files", "Scan for adware/PUAs", "Scan for suspicious files" and "Scan for rootkits" are checkmarked.
Click on the Cleanup tab. Ensure that "Automatically clean up items that contain virus/spyware" is checkmarked and the two radio buttons are set to "Deny access only" (which actually means to leave the virus there, but block all access to it if cleanup fails). Checkmark "Automatically clean up adware/PUAs" and click OK.
Click on "Save and Start". Reboot the computer once the scan completes.
Once the computer is available, please repeat the scan to ensure a full cleanup.
---

Alternatively, you can create a Sophos Bootable Anti-Virus CD and scan the machine from the bootable environment. Please contact Sophos Technical Support for information on how to obtain this tool and if it's appropriate for you.


Please do not hesitate in contacting us by replying to this email if you have any questions or concerns.

Kind regards,

Sophos Technical Support Support
knowledgebase: http://www.sophos.com/support
Subscribe to email notifications: http://www.sophos.com/security/notifications

New! SophosTalk community (discussion forums): http://community.sophos.com

SOPHOS - simply secure
 

Garreg Ddu

Gweinyddwr
Staff member
#8
Another attempt to pass on the infection.

Another email has been found with a malware infected file attached.

PLEASE DO NOT DOWNLOAD AND RUN THE ATTACHED FILE, AS IT WILL INFECT YOUR COMPUTER WITH A BOTNET TROJAN.

The infection is known to, and detected by Norton, Sophos, McAfee and Kaspersky Labs Anti-Virus systems, and probably by others now as well.


From DHL Global Tue Nov 9 00:29:15 2010
Return-Path: <usps.no.0589@dhl.com>

X-Originating-IP: [209.112.147.122]

Received: from 127.0.0.1 (HELO dhl.com) (209.112.147.122)
by mta1242.mail.mud.yahoo.com with SMTP; Mon, 08 Nov 2010 17:29:21 -0800

Origin IP Address = 209.112.147.122 = Alaska Communications Systems Group, Anchorage, Alaska, United States

From: "DHL Global" <usps.no.0589@dhl.com>
To: ************@*******.***
Bcc:

Subject: DHL Delivery Problem No654887
Date: Mon, 08 Nov 2010 16:29:15 -0800

DHL_mailing_label_No14033.zip This is the attached, malware infected file.

Good afternoon!

Your package has been returned to the DHL office.
The reason of the return is - Incorrect delivery address of the package ! Flag #1 - Grammar is bad.

Attached to the letter mailing label contains the details of the package delivery. ! Flag #2 - Grammar is bad again.
You have to print mailing label, and come in the SDF office in order to receive the packages. ! Flag #3 - Grammar is bad yet again. What has an "SDF" office to do with DHL?

Thank you for attention.
DHL Customer Services.




Note the addition of another hidden text stream, trying to confuse email system smap filters.


Entendez-moi, ma fille, cest en vous, dans la soumission, dans la purete, dans lamour, que Dieu a mis la force de votre union.A ce moment, il y eut un rire, a lautre bout de leglise. Lenfant venait de se reveiller sur la chaise ou lavait couche la Teuse. Mais il netait plus mechant; il riait tout seul, ayant enfonce son maillot, laissant passer des petits pieds roses quil agitait en lair. Et cetaient ses petits pieds qui le faisaient rire. - Mon cher frere, reprit labbe Mouret, a demi tourne vers le grand Fortune, cest Dieu qui vous accorde aujourdhui une compagne; car il na pas voulu que lhomme vecut solitaire. Mais, sil a decide quelle serait votre servante, il exige de vous que vous soyez un maitre plein de douceur et daffection. Vous laimerez, parce quelle est votre chair elle-meme, votre sang et vos os. Vous la protegerez, parce que Dieu ne vous a donne vos bras forts que pour les etendre au-dessus de sa tete, aux heures de danger.
 
Last edited:

Garreg Ddu

Gweinyddwr
Staff member
#9
Another attempt

This time the text and viral payload are slightly different. As usual, all has been passed over to McAfee, Sophos and Kaspersky Labs for investigation. McAfee are very quick and already have done the analysis, found the malware and updated their systems to detect and kill it.


From DHL Global Services Tue Nov 16 10:24:36 2010
Return-Path: <contact.s.nr1811@dhl.com>

X-Originating-IP: [14.194.61.89]

Origin IP address = 14.194.61.89= Tata Teleservices Limited -GSM Division, India

From: "DHL Global Services" <contact.s.nr1811@dhl.com>
Subject: DHL Delivery Problem S.NR706037450
Date: Tue, 16 Nov 2010 10:24:36 +06-30

There is an ateached ZIP file, DHL_Information_S.Nr99643.zip which contains the Malware payload.


The company could not deliver your package to your address.
The package was returned to DHL office.
Information about your package is attached to the letter.
Look through the information about your package thoroughly.


Thank you for using our services.
DHL Global Mail.


With the usual attempt to beat filters with hidden text at the end:

If female descent went for anything, it is not clear why Herbert passed by the rights of his two elder sisters, Gersendis, wife of Azo Marquess of Liguria, and Paula, wife of John of La Fleche on the borders of Maine and Anjou.And sons both of Gersendis and of Paula did actually reign at Le Mans, while no child either of Herbert or of Margaret ever came into being. If Herbert ever actually got possession of his country, his possession of it was short. He died in 1063 before either of the contemplated marriages had been carried out. William therefore stood towards Maine as he expected to stand with regard to England. The sovereign of each country had made a formal settlement of his dominions in his favour. It was to be seen whether those who were most immediately concerned would accept that settlement. Was the rule either of Maine or of England to be handed over in this way, like a mere property, without the people who were to be ruled speaking their minds on the matter?


================================

The McAfee report is:


From: <Virus_Research@avertlabs.com>
Sent: Tuesday, November 16, 2010 3:32 PM
To: <**********@***********>
Subject: 6352417 - Suspected Malware infection attempt. Please see attached zip file.


McAfee Labs - Beaverton
Current Scan Engine Version:5400.1158
Current DAT Version:6168.0000
Thank you for your submission.

Analysis ID: 6352417

File Name------------Findings------------------------Detection-------------------Type-----------Extra
--------------------|------------------------------|----------------------------|------------|-----
dhl_information.exe-.|new detection---------------- |generic backdoor.u-------- |Trojan-----|yes [/B]
dhl_information_s.nr |inconclusive-------------------|----------------------------|-------------|no

Attached is a file for extra detection, which will be included in a future DAT set. We
have detected a virus or trojan that can only be detected and removed with the
attached EXTRA.DAT and current scan engine. The EXTRA.DAT must be used with the
current scan engine, and we highly recommend you update to the most current DAT
release. If you are not seeing this with the product you are using, please speak with
technical support so they can help you determine the cause of this discrepancy.

inconclusive [dhl_information_s.nr99643.txt]

Upon analysis the file submitted does not appear to contain one of the 200,000 known
threats in the AutoImmune database. The file may contain a new threat, or no code
capable of being infected. Your submission is being forwarded to an McAfee Labs
Researcher for further analysis. You will be contacted by McAfee through e-mail with
the results of that analysis.

new detection [dhl_information.exe]

The file received contains a new virus or trojan. It is recommended that you update
your DAT and engine files and scan your computer again.

To find detailed information about viruses and other malware, please review McAfee
Labs' Virus Information Library:

http://vil.mcafeesecurity.com

You may wish to submit future malware samples to:

https://www.webimmune.net/default.asp

It may be the best option if you are having a problem with gateway scanners stripping
your sample submission.

If you believe your computer is infected, but are unsure which files should be
submitted to McAfee Labs for review, please visit:

http://vil.mcafeesecurity.com/vil/submit-sample.aspx

For other virus-related information, please review McAfee Labs' homepage at:

http://www.mcafee.com/us/threat_center/default.asp

Support -

Virus Research accepts file-samples for analysis and possible inclusion into AV
signature DAT sets. We are also prepared to answer general virus questions. All
product-related questions and comments can be addressed through technical support and
customer service, including:

* Product installation and update questions
* Product usage questions
* Specific operating system/version questions
* Assistance with detection and cleaning or removal of viruses or trojans

Use the following link to update your DAT and scan engine to the most current version:

http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Use the following links to reach online technical support for McAfee products -

Corporate Customers:

http://www.mcafeesecurity.com/us/support/

Single User/Retail Customers:

http://www.mcafeehelp.com

Note -

Due to the prevalence of network gateway AV products, it is important that all
submissions be zipped and the zip file password-protected (password - infected). Some
products will reject an email that contains a virus that is not sent in this way. In
addition, often we receive a file that appears not to have been infected, to find
later that the file was infected when it left the sender, and was cleaned somewhere
along the line.

Regards,



McAfee Labs
 

Dororo

Administrator
Staff member
#10
It has a zip file.

From DHL Services
Return-Path: <customerservice.s.nr5404@dhl.com>
Received: from 65.40.229.0, America server, Florida, Embarq Corporation, [abuse@embarqservices.net]
From: "DHL Services" <customerservice.s.nr5404@dhl.com>
Subject: DHL Shipment Status S.NR018536
Date: Mon, 15 Nov 2010

Dear Customer!

The company could not deliver your package to your address. The package was returned to DHL office. Information about your package is attached to the letter. Look through the information about your package thoroughly.

Thank you for your attention.
DHL Customer Services.
 

Nanook

Administrator
Staff member
#13
Received: from 70.69.247.15, Calgary, Canada, Shaw Communications Inc.,
From FedEx Delivery Service
Return-Path: <federal.nr.4572@managerscom>
From: "FedEx Delivery Service" <federal.nr.4572@managerscom>
Bcc: <lotp875@comcast.net>
Subject: FedEx service. Get your parcel NR.S.980890
Date: Tue, 16 Nov 2010

* FedEX_Information_IDS9906.zip FedEX_Information_IDS9906.zip

Dear client!

The company could not deliver your package to your address. The package was returned to FedEx office. Information about your package is attached to the letter. Look through the information about your package thoroughly.

Thank you for using our services.
FedEx Express Services.
 

Naruto

Administrator
Staff member
#14
From FedEx service
Return-Path: <infoio@fedex.com>
Received: from 203.202.249.82, Bangladesh, Aamra Networks Limited
Reply-To: "FedEx service" <infoio@fedex.com>
From: "FedEx service" <infoio@fedex.com>
Subject: FedEx notice
Date: Sun, 20 Mar 2011

FedEx docs.zip


Dear customer.

The parcel was sent your home address.
And it will arrive within 7 business day.

More information and the tracking number are attached in document below.

Thank you.
© FedEx 1995-2011
 
#15
FedEx system notification

FedEx system notificationSunday, 3 April, 2011 6:36
From: "FedEx" <info10bykyb@fedex.com>
Message contains attachments1 File (7KB)FedEx-document.zip

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 FedEx, Inc.

>>> Yeah, as if I'm gonna click on that one >>>> These guys are persistent idiots!!! :mad:
 
#16
Received: from 203.202.249.82, Bangladesh, Aamra Networks Limited


Hi Naruto,

Can you please tell me how to find that bit so I can include it in my posts? Pretty please :)
 

Sphinx

Administrator
Staff member
#18
I don't know who these bozos are but it looks like they are going to try every single delivery service. It's a good thing they aren't attaching anything with this mail.

Received: from 217.97.178.33, Poland Ppuh Net Center Stepniewski Piotr. [abuse@telekomunikacja.pl]
From: "DHL Global" <supplet@dhl.com>
To: <noijam@netscape.net>
Subject: DHL Express Services
Date: Mon, 4 Apr 2011

Dear customer

The parcel was sent your home adress And it will arrive within 10 business days

More information and the tracking number are attached in document below.

Thank You

1994-2011 DHL Express Services, Inc.
 

Central Scrutinizer

Administrator
Staff member
#19
From Trcking system
Return-Path: <infoqteze@tracking-system.com>
Received: from 91.28.247.89, Germany, Deutsche Telekom AG, [abuse@telekom.de]
Date: Wed, 13 Apr 2011
From: "Trcking system" <infoqteze@tracking-system.com>

Dear customer,

The parcel was sent your home adress It will arrive within 7 business days

More information and the tracking number are attached in document below.

Thank You
Copyright © 1994-2011 DHL, Inc. All rights reserved.

Nice little file attached: EX-38463.pdf.zip Oh yeah. don't open that file.
 

Girl1

New Member
#20
And again,,,,

From : DHL Inc. <adminjftgzym@dhl.com>

Subject : DHL Delivery Services notification #3536283

with 1 (one) file as attachment

"Dear customer.

The parcel was sent your home address! And it will arrive within 7 business day.

More information and the traching number are attached in document below!

Thank you.
Best regards.


2011 DHL International GmbH. All rights reserved".
 
Top