Beware of malwares attached to fake US Postal Service (USPS) emails

andy | October 26, 2011

Lately, we have been researching the ways different viruses can get into computers though the Internet. And there is one new way how hackers can easily set its malicious programs inside your PC. Fake US Postal Service e-mails are used to spread viruses in not suspicious way. Viruses like System Restore, System Recovery and many other rogues are being distributed through such service at present time. Of course, we should say that real US Postal Service has nothing to do with this malicious content. These are people who are interested in such way of earning money and spreading malicious content. They play on your trust and safeness inside US Postal Service and there are no limits for them. All these e-mails have the new variant of Dofoil Trojan horse virus. And with some time being inside someone’s computer the virus can even download some other malicious components from the web. Below you can see the structure of these e-mails.

Fake USPS e-mail screenshot:

Subject variants:

  • USPS Shipment Status IDxxxx
  • USPS service. Get your parcel IDxxxx
  • USPS Invoice copy IDxxxx
  • USPS Tracking number IDxxxx

Attachment:

Post_Label#id[Random Digits].zip

Users should take into account that the Trojan exe-file, which is inside ZIP file, can imitate itself as Microsoft Word icon. It was mentioned above. As to the appearance of fake US Postal Service e-mail, it looks similar to the one we have already showed you above. We should add that all the information it contains is fake and you should not trust anything it shows you.

Hello,
Your parcel has arrived at the post office on [date]. Our Driver was unable to deliver the parcel to your address. To receive a parcel you must go to the nearest USPS office and show your post label. Label is attached to this letter. Thank you. USPS Customer Services.

Once the user decides to download and execute the infected executable inside the zip attachment the following activity shall be performed:

  • Creating the process SVCHOST.EXE and injecting its code.
  • Creating a copy of itself as %application data%csrss.exe and deleting the original exe-file.

The executable would download other malwares, such as:

  • %windir%system32msrepl40A.exe
  • %windir%system32wbcache8.exe
  • sl20.exe
  • setup.exe
  • 574-01.exe
  • sssss.exe

Moreover, the following registry entries would be added:

  • Key: HKEY_CURRENT_USERSoftwaregtwbetugt
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Epsilon Squared
    Data:”%Application Data%csrss.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: TKYDMYTE
    Data:”C:WINDOWSSystem32wbcache8.exe”
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Dbft
    Data:”C:WINDOWSSystem32msrepl40A.exe”

Network Activity detected:

HTTP GET Requests:

  • http://live{DELETED}128.ru/m07/index.php
  • http://suteki{DELETED}disc.jp/walking-diet/
  • http://image{DELETED}ing.be/

DNS Requests detected:

  • http://live{DELETED}128.ru

Hosts File Modification detected:

This malware adds the following entries in order to block access to torrent websites.

  • 127.0.0.1 thepiratebay.org
  • 127.0.0.1 www.thepiratebay.org
  • 127.0.0.1 mininova.org
  • 127.0.0.1 www.mininova.org
  • 127.0.0.1 forum.mininova.org
  • 127.0.0.1 blog.mininova.org
  • 127.0.0.1 suprbay.org
  • 127.0.0.1 www.suprbay.org

In general, what should users do not to get involved in such hacker’s trap? The steps are following: be always careful when you receive e-mails from US Postal Service. You should check each e-mail carefully whether it real or not. And pay much attention to the mails with zip attachments. They can be really weird. But if you have already opened such fake US Postal Service email attachment we can help you with that. Below find the removal guide for the virus.

4 Comments

  1. sonny says:

    hello,

    i purchased your trojan killer software and was able to fix my laptop (windows xp) after it was infected with usps system fix virus. it worked for a couple of days but was infected by the same virus again. it seems that not all the virus was eliminated from my system. it’s back to it’s infected state again, what should i do? help!!!

  2. admin says:

    Hello sonny,
    If you have some problems with the removal or just some questions, please, write us here:
    http://trojan-killer.net/support/

    We will help you to cope with your problem.

  3. boatman says:

    Hi i got the usps virus. I feel really stupid for unzipping the file and running it. It has completely taken over my computer. Desktop is black without icons, “start” button has nothing in it. Its blocked me from everything. Microsoft securty essentials detects it but doesnt remove it or stop it from acting. Will trojan killer run if i introduce it to my infected computer *windows xp* via thumb drive

  4. boatman says:

    Also, given that the free trial only removes 5 virus’s or whatever, will it remove this trojan horse in its entirety?

Leave a comment

*