Amusing UPS/Fedex Malicious Email

Yesterday I received this UPS email with a malicious zipped attachment.

A couple hours later, I get another one. This one had Fedex content but the “from” and “subject” lines were still showing “UPS”.

Another two or so hours pass and a third one arrives. They got the content and “from” line correct but the “subject” line is still wrong.

Then several hours later, all of the fixes are made and the final “fake” Fedex email arrives.

The attachment, “parcel information.exe”, when uploaded to VirusTotal shows over 52% coverage.

If it’s executed, a new binary, “pusk.exe” is dropped and contacts two additional servers:

hxxp://variantov[.]com/pusk.exe
hxxp://searchand[.]org/404.php?type=stats&affid=531&subid=01&awok
hxxp://searchboth[.]org/pica1/531-direct

The binary makes changes to the system so certain functions don’t work (like accessing Task Manager). It also scans browser history files and pretends to find errors on the PC.

This particular binary has very low coverage on VirusTotal:

Posted on: 05/11/2011