Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a United Parcel Service (UPS) notification regarding parcel delivery. The text in the e-mail message instructs the recipient to open an attached .zip file to view a tracking number and other details for the parcel. However, the .zip attachment contains a malicious .exe file that, when executed, could infect the system with malicious code.
E-mail messages that are related to this threat (RuleID3195 and RuleID3195KVR) may contain the following files:
USPS_Document.zip
USPS_Document.exe
The USPS_Document.exe file in the USPS_Document.zip attachment has a file size of 39,936 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x5E24703B1A65A03242A2BB6D1A4CB1C1
A variant of the USPS_Document.exe file in the USPS_Document.zip attachment has a file size of 32,768 bytes. The MD5 checksum is the following string: 0x7ED0CA41C4AD2883E56A5C04690671A3
A third variant of the USPS_Document.exe file in the USPS_Document.zip attachment has a file size of 39,424 bytes. The MD5 checksum is the following string: 0xA9A440968A18E8B5A45F83A7A8786953
The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: United Parcel Service notification #17020
Message Body:
Dear customer.
The parcel was sent to your home address.
And it will arrive within 3 business days.More information and the tracking number are attached in document below.
Thank you.
United Parcel Service.
http://tools.cisco.com/security/center/viewAlert.x?alertId=22361