Malware/Virus delivered through fake e-mail from UPS

I have had several incidents this week of customer systems being infected by executables attached to e-mails appearing to be from UPS.

Looking around the blogs, these e-mails seem to be having a higher than normal infection rate. It is time consuming to get rid of and makes the infected machines unusable and creates a huge number of network connections.

The exact subject line of the email’s that have been received is:

UPS Tracking Number 5440074870

Attached to the e-mail is a zip file containing an executable which when executed installs "XP Security Center".

Much more information about the detail of the actual email can be found on the Trend Malware Blog.  The worrying thing about this e-mail is that both of the machines that it infected have their e-mail filtered by very well known external 3rd party mail systems, then have virus scanning on their own Exchange servers and finally on their desktop machines.  At the moment this e-mail is still slipping through the net.

This virus does a LOT of clever things to prevent you getting rid of it.  I noticed that when trying to run Autoruns from Sysinternals that it just would not work.  Renaming the autoruns executable allows it to run.  It also stops you being able to install/download Windows Defender, disables system restore, removes the system tools program group amongst other things.

Not a very sophisticated solution but for now I have edited the Exchange IMF custom weighting file on customer systems to ensure that messages with "UPS Tracking" in the subject line are never delivered to the recipients and definitely classed as spam. 

I had written a separate post on how to remove the virus manually, but at the moment I am still monitoring the infected machines to ensure they are completely clean.