1. News & Issues
You can opt-out at any time. Please refer to our privacy policy for contact information.

Discuss in my forum

David Emery

UPS Virus Warning (UPS/Fed Ex Delivery Failure)

By July 15, 2008

Follow me on:

Update: Newer alerts about the same security threat described below are circulating under the header "UPS/FedEx/DHL Virus." These warnings are mostly accurate and should be taken seriously. If you receive messages from any of these parcel delivery companies directing you to open an attached "invoice," simply delete it. Do not open it. The file could contain a virus.

Example of an alert circulating in June 2009:
Subject: To ALL : UPS / FedEx / DHL Virus...No joke!

The newest virus circulating is the UPS/Fed Ex Delivery Failure. You will receive an email from UPS/Fed Ex Service along with a packet number.. It will say that they were unable to deliver a package sent to you on such-and-such a date. It then asks you to print out the invoice copy attached. DON'T TRY TO PRINT THIS. IT LAUNCHES THE VIRUS! Pass this warning on to all your PC operators at work and home. This virus has caused Millions of dollars in damage in the past few days.
Original posting: UPS has issued a warning about a new computer virus circulating as an attachment to emails purporting to originate from the "UPS Packet Service." The warning is authentic. The virus is real.

The bogus messages, titled "UPS Delivery Failure" or "Your Tracking #," etc., claim a parcel sent by the user was undeliverable due to an incorrect mailing address. The user is instructed to open an attachment containing a copy of the invoice. The attachment actually contains a virus which may infect the user's computer.

As a general rule, Internet users should always be wary of opening unknown file attachments, and maintain up-to-date antivirus protection on their computers at all times.

Text of the UPS alert:
Attention Virus Warning

We have become aware there is a fraudulent email being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.

This email attachment contains a virus. We recommend that you do not open the attachment, but delete the email immediately.

UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact customerservice@ups.com.

Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.

Thank you for your attention.
Read more about it:
UPS: Protect Yourself Against Fraud - UPS website
FedEx: Virus Alert - FedEx Website
DHL Fraud Alert - DHL Website
Warning About the UPS/FedEx Virus - WTOC-TV News
UPS Spam Is Trojan-Spy.Zbot.YETH - About.com: Antivirus Software
Email Allegedly from UPS Delivers a Computer Virus - Minneapolis Star Tribune

Follow Urban Legends on Facebook!

Comments

July 15, 2008 at 5:19 pm
(1) Flair says:

We are currently cleaning 2 workstations at client sites with this virus. It contained “XP Antivirus 2008″

July 16, 2008 at 6:46 am
(2) John says:

I received a bogus UPS email a few days ago. It said that a package I sent was undeliverable. Luckily, the email was poorly constructed, and it was rather obvious it was fake (kind of like the Paypal & eBay hoax emails), so I did not click on anything. Remember: BE CAREFUL!!

July 16, 2008 at 6:21 pm
(3) Paul says:

ummm… so let’s talk specifics here. what is the payload? why is this not listed on SANS or any major security vendor websites? Try googling this and see what you come up with other than my friends niece got this and her computer totally locked up. my BS detector is going hog wild with this one.

July 16, 2008 at 7:29 pm
(4) urbanlegends says:

The payload is the Agent.JEN Trojan delivered via a .zip file which, if run, introduces a copy of the Trojan into the computer.

Phony UPS Emails Used as Bait to Spread the Agent.JEN Trojan (Panda Security)

July 20, 2008 at 7:13 pm
(5) JohnWW says:

I received such an UPS email this morning (21 July 2008), with a ZIP file attached which was supposed to be an “invoice”. (If it was an invoice, it would be as a formatted text file like PDF or DJVU or DOC file, or a graphics image like JPG or GIF or PNG or TIF or PCX). I immediately suspected that it was a $cam or a virus, and did not run the EXE file inside the ZIP. However, the antivirus program AVG, which is updated daily, did NOT detect the Agent.JEN Trojan or any other virus in it, in either the ZIP file or the enclosed EXE file.

July 21, 2008 at 7:44 pm
(6) Lou says:

Be afraid! Be very, VERY AFRAID! I’m talking about rough package handling by UPS….not viruses. Ask a UPS employee about their outdated sorting equipment and the volume of damaged packages in their repair department. I’m never shipping with them again.

July 22, 2008 at 6:17 am
(7) pete says:

it got me cause I’m a fool, what can I do to get rid?

October 12, 2010 at 4:45 pm
(8) Shamika says:

hahahahahahahahaahhahahhahahahahhahahha

July 22, 2008 at 9:14 am
(9) Landie says:

My Nortons didn’t flag it. But I’d already twigged that it was a payload carrying email. Needless to say, I’ve quarantined and submitted the sample.

October 27, 2010 at 4:21 pm
(10) patcharoony says:

opened the ups package, norton stopped it dead in its tracks. well pleased ,

July 22, 2008 at 12:12 pm
(11) Jennie says:

I was not very smart, and opened this attachment, and now have the virus. How do I get rid of it? I can’t connect to the internet, I have tried using netscape and explorer. I do have McAfee. I’m not super computer savvy, but am good at following directions. Thanks for any help you can give.

July 22, 2008 at 1:05 pm
(12) AHH! says:

This virus is very real. And when you are in a shipping department this one can get you. It seems familiar enough for you to open. Until you do, then it is to late!

July 23, 2008 at 3:26 am
(13) Ian says:

We have 5 computers, all with bullguard anti-virus which did not detect the intrusion. The UPS virus has infected one of the computers having got by the B.T. Firewall, which deleted the incoming virus on all the other machines and was opened by an operator.
So far bullguard support has been unable to get rid of it. Has anybody else had any success getting this off their machines yet?

July 23, 2008 at 4:56 am
(14) vin says:

Does any geek knows how to get rid of this. It went into windows/profic file name ups_invoice 4 files in total we delted it but still popping up. Help please

July 23, 2008 at 9:45 am
(15) JJ says:

Very real. Not sure of how much damage, but a few employees opened and our server crashed. Working on it this morning. I use Kaspersky antivirus on my laptop and had no issues.

July 23, 2008 at 10:27 am
(16) Andre says:

A good antivirus program will prevent the infection. Kaspersky stops it right away, and even AVG deleted it upon downloading the attachment. Norton/Symantec Corporate/McAfee/CA/bullguard all allow the virus to take over the system. A knowledgeable professional is needed to remove the resulting infections.

July 23, 2008 at 7:21 pm
(17) David says:

Believe it. Just paid Dell $130 to clean up the havoc it caused.

July 23, 2008 at 8:49 pm
(18) poison apples says:

this virus is real…our reception opened it as we commonly use UPS for a courier, it required manual removal and tampered with our anivirus (nortons) which didnt pick it up. we had to pay nortons an extra $100 to remove it. I thought that was BS what the point of buying their software then.

July 24, 2008 at 12:07 am
(19) Rachele says:

I did receive the email but because it was a zip file I did not download it but it did open the zip window. Am I correct in thinking that I do not have the virus if i did not open or download the actual file? I noticed the email (United Parcel Service [otymvh@brainsworkgroup.com]and did not open it.

July 24, 2008 at 5:09 am
(20) Laurentio says:

So far this is the only way to remove the UPS virus. Follow the given link and do as instructed to fix UPS virus.
http://support.bicester-computers.com/showthread.php?t=18

July 24, 2008 at 8:31 am
(21) Leslie says:

Even though the email had many red flags, a couple of not-so-savy people opened it. The virus rendered all applications frozen, including our anti-virus software and required several hours of tech support to remedy.

July 24, 2008 at 9:49 am
(22) Steve says:

I was able to remove the virus from two machines where the user opened the attachment. One way was to do a System Restore in WinXP back several days and the other was to download and run Malware Bytes.

July 24, 2008 at 3:52 pm
(23) Dale says:

Yes, this is real. It is a Trojan. So far Adaware 8.0 and Symantec’s Norton have not been able to get rid of it. They both find it, but cannot delete. I forwarded it to both software companies web sites. XP Pro keeps flagging that the workstation is infected. We put our outside Tech support on it.

July 24, 2008 at 4:20 pm
(24) Jacqueline says:

I was dumb enough to fall for it too! I am computer savvy to an extent and it caught me early in the morning when I was still a bit groggy! However, It isn’t a very dangerous virus, but it does have a very irritating Red X message (telling you your computer is infected after you’ve run a system scan – but that IS the virus!) from the System Tray and it tries to sell you some phony software to “fix” the problem. Symantec and the rest have known about the issue since May, but because of the way it infects Windows they seem to be struggling with preventing it and cleaning it when it does get in. The fix actually requires a Windows Registry edit and some other steps that my IT guy at work was able to do. If you are having trouble, I would follow the steps that your virus protection gives you and if all else fails call a computer support company and have them help you. You don’t want this thing in your computer for long! Good luck!

FYI: I just received an email today – the same virus only this time it is from US Customs. It basically says the same thing as the UPS email. Needless to say, I didn’t open it this time!

July 25, 2008 at 11:57 am
(25) Ruth says:

We had the UPS Virus a few days back. We are now receiving this payload again with email purporting to come from Customs (that was yesterday). Today’s variant has a subject relating to “Your airline ticket”. In our case they said they come from Delta (haha, right). At this point, Symantec Corporate is not able to remove the virus. It is detected, but can not be removed.

July 25, 2008 at 1:17 pm
(26) Dummy 1 says:

I have a MAC.

I accidentally click on this as I was going to errase it.

It put TWO files in my MAIL DOWNLOAD folder.

Am I infected? On file was an .exe file and the other the ZIPPED file. I deleted both.

Anyone know if this has infected my MAC?

August 19, 2011 at 9:22 pm
(27) gjhghjf says:

no you’re not. exe is windows executable file. osx can’t open it. zip is just a compression of that file.
you’re ok!

July 25, 2008 at 3:56 pm
(28) Jodi says:

Norton and McAfee never catch anything…I took McAfee off my computer and installed another antivirus that has caught everything. Haven’t had to test the USP trojan, though. After reading this, I WON’T be testing my antivirus against it!!!

July 25, 2008 at 4:20 pm
(29) Jay says:

I got the same email from Canada Customs. SAys I had a package waiting and needed to clear it, please fill out attached form yada yada yada. Since I am smart enough to know I am not expecting anything, and smart enough to know that any file with a .exe or .ZIP sent through email is likely to be bad news, I just ignore them. If it was paperwork attached it would be in the form of a DOC or PDF likely.

July 26, 2008 at 11:02 am
(30) Noel says:

2 of our pC’s got caught with this virus, it took the Norton’s guys 2 attempts and 6 hours to clear it off. Nasty.

As well as the one from customs, there is another one going around, asying yor credit card has been debited with $400+ for airline tickets with an attached copy of the receipt.

July 26, 2008 at 7:44 pm
(31) law says:

We had this infection on Thursday, 24 July 2008 around 4pm EST. The approach was similar- a delivery failure notification with all the relevant information correct: Store Number, Time, Date, Tracking Number.

Huge problem. It was followed by an offer to download a fix for XXX$. The download was charged to my wife’s credit card in rubles within 15 minutes.

The ‘fix’ did nothing, and my wife, who is fairly savvy, wasn’t able to remove the viruses on her own. With one phone call, Norton took over, and after several hours of work, she got her system back, for which we are most appreciative.

Still, we had to close all our bank accounts, cancel all ATM/ credit cards, automatic payments, etc., and go through the re-start process. Nothing was stolen from our savings or checking accounts, but what a nuisance!

I blame UPS for not making the problem known. All the specific information supporting this scam was known only to UPS.

Best advice I can give is to ask Norton to help. They did a great job of disinfecting.

July 27, 2008 at 9:22 am
(32) John Smith says:

It is not UPS’s fault. Period.
Norton Antivirus or any Antivirus won’t help at all. Period.
I have followed a link posted above and thanks God it did clean my computers. Thanks for the forum and here is the link:

http://support.bicester-computers.com/forumdisplay.php?f=31

Good luck!

July 29, 2008 at 11:33 pm
(33) ASlater says:

I got an e-mail with a FEDEX attachment after I got the UPS e-mail. I copied the # it gave, went to FEDEX site and sure enough, no packages. I hope someone can spread the word, it’s not just UPS. They say both companies are working harder because of gas prices – more people shopping online.

July 30, 2008 at 5:13 am
(34) pAUL says:

the UPS delivery virus rumour is true, my computer was affected by it i had to do a `clean` install of xp beware!

July 30, 2008 at 10:14 am
(35) Cath says:

We just received a copy of this email in French. Just a little twist on the olriginal message. One of our work computers was infected, but it is now clean and working well.

August 1, 2008 at 7:13 pm
(36) Alicia Rhoades says:

I have the virus and now I cna’t even turn on my computer. It loops from the start and when you log in your comouter it restarts itself and the process starts over and over and over and over. HOw do I fix a problem when I can’t even get in to the comouter to fix it in the first place? Can someone help.

August 10, 2008 at 1:44 pm
(37) Julian says:

To manually remove, rename the trojan, look in the c:\Windows and c:\Windows\System32 folders for the most recent files, normally Buritos.exe and braviax.exe, but others may be possible. You can’t delete them because the programs are running, but you can rename them. You should then copy some other .exe, such as winhlp.exe and rename it to match the trojan files. (This prevents the files being recreated.)

Now open the device manager and view->show hidden devices. Now uninstall Beep and delete the beep.sys driver. You can then scan for hardware changes and the proper beep.sys will be reinstalled.

Reboot and all should be well. You don’t even need to drop into safe mode to do this.

August 13, 2008 at 7:04 pm
(38) matt says:

i am genuinly waiting for a UPS package which is late that i sent from Australia, so ive been away and not to savvy on recent viruses….so opened it and my computer is suffering!!

August 14, 2008 at 5:41 pm
(39) neil says:

This is how I got of the virus

First you need to stop the program from loading on startup. This is what you do to stop it:

Start, run

Type msconfig

Go to Startup tab

Uncheck lphc35dj0e1an
Uncheck rhc75dj0e1an

Click apply, then ok
Restart computer

Then you need to delete the main files this program uses. Delete the following files:

C:\windows\system32\lphc35dj0e1an.exe
C:\program files\rhc75dj0e1an\rhc75dj0e1an.exe

This should remove the program from your system but you probably still have a warning message displayed as your wallpaper in Windows and the virus removed the ability to change the wallpaper or your desktop settings.

To restore ability to change your desktop settings and select a different wallpaper and screen saver do the following:

Start, run

type Gpedit.msc

Navigate to User configuration, Administrative Templates, Control Panel, Display

Right click on Remove Display in Control Panel
Click on Properties and select Disabled

Do the same steps to change the following attributes to disabled:

Hide Desktop Tab
Prevent changing wallpaper
Hide Apperance and Themes tab
Hide Settings tab
Hide Screen Saver tab

You should now be able to use your computer normally and change the wallpaper to something other than the warning message Antivirus XP 2008 set it to.

August 15, 2008 at 1:23 am
(40) Maggie says:

I got this email at work…was very early in the morning and our server had crashed and burned the day before..the “infection” notification came a few hours later…our tech ended up spending a whole lot of time cleaning the computer and actually ended up having to basically remove everything from my computer and reinstall all of the programs again…fortunately, because the server had been down (some emails were not working), we figured out what the cause was and when all other email addresses worked again in the office, we knew exactly what we were looking for. Sometimes it is very easy to become dependant on your antivirus and believe that it will stop ANY THREAT that comes your way. At least now we know better

August 19, 2008 at 7:05 pm
(41) corey says:

Somehow this virus got in out computer and that email wasent opend it was deleted we are running avg it catches the virus and quarenteens it but by that time my desktop has changed it and have run multiple scans with no luck and run my avg spyware one run after the other and still flooded with crap so am now running malwarebytes antimalware hope it works a lot of forums have said to try it fingers are crossed gl to all trying to get rid of this horror if i cant get rid i will get rid of it by backing over my lappy plz dont come to that hehehe

August 20, 2008 at 10:37 pm
(42) jeffpeterson says:

The reason it’s called a virus is because it evolves. Yesterday I got several calls for cleaning up after this, and it’s not just Braviax and Buritos, there is a host of other viruses and spywares this time.

August 20, 2008 at 10:55 pm
(43) jeffpeterson says:

Alecia, If you or someone you know is fairly tech-savvy, there is a way to boot from a Linux CD, download a free antivirus software and update it, then clean your machine by booting from the CD. That way anything the virus controls while Windows is booted, is nullified.

First you, or someone who likes you, need to go to
http://www.knopper.net/knoppix-mirrors/index-en.html
and download the image file from a site that is geographically near you, and then burn the image onto a cd.

Then you need to download and install a software called Antivir, so you can scan your hard drive from a Linux kernel. Here is a link to how to do this:
http://www.knoppix.net/forum/viewtopic.php?t=28908

Once the virus is gone and you can boot XP again, you will still have troubles to deal with, but at least you can get to that point with this method.

Good luck

August 20, 2008 at 11:47 pm
(44) Dennis Barrett says:

I just received a “FedEx” version of the same.

August 21, 2008 at 5:25 pm
(45) Dee Anna says:

Ok – the FedEx email got my home pc. I know when I got home last night, I would login and it would immediately log me out. I will try to boot in safe mode and hope it allows me. If not, am I just outta luck?

August 21, 2008 at 9:03 pm
(46) Maggie says:

i just got the fed-ex email today at work….luckly i did not fall for it this time….thanks to this site….

August 27, 2008 at 10:35 pm
(47) Tom says:

new version is Western Union

From: “Lakisha Dunn”
Subject: Western Union MTCN #3005166639
Date: Thu, 28 Aug 2008 11:47:03 +1000

Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.

Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 99281 since the recipient has been undergoing the international retrieval by the InterPol.

Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.

(The invoice file is attached to this message; please print it out and hand it to our agent.)

August 28, 2008 at 6:15 am
(48) Morag Hamilton says:

I am getting 2 of these a day. The one this morning was supposidly from American Airlines about an airline ticket! I had to print off my ticket and of course my crdit card had been charged! Another was something to do with a payment to Western Union being stopped as the holder of the card was being investigated by Interpol!
I delete them all immediately and empty my Deleted Items folder too. I also run a Internet Files Destruction Programme but I still keep on getting these emails! BE AWARE

August 30, 2008 at 2:16 am
(49) woodhouseapp says:

america watch tree ibm university england

September 9, 2008 at 10:35 am
(50) Betsy says:

I am in Argentina and today I received the email from a co-worker who thought it was mine (I run the Foreign Trade dept.), I suspected something was wrong, first because we have no account at UPS and second, because the attachment was a zip file.
I went straight to UPS’s site and saw the press release they made on it. I immediately erased it.
After the first email from UPS we have received 3 more emails, same style, same attachment, different “subject”. We have released an email for the whole company and also to all people in our mail list to inform them about it; I think you should do the same. Is quite a problem this virus, so it would be good to inform as much people as possible.
Be extra carefull at opening files, no zip or .exe file should be opened, not even from known people. Ask first!

September 15, 2008 at 1:58 pm
(51) collette pearl says:

i just received this email today–and it’s also bogus:

Warning: This message has had one or more attachments removed (invoice.scr, invoice.zip). Please read the “MBG-Attachment-Warning.txt” attachment(s) for more information.

Mr./Mrs. XXX

I am sorry for this late reply, but we have good news.
We managed to track your package, and we have attached the invoice you asked for to this reply.

The invoice contains the correct tracking# , since the one you gave us was invalid.
You can use it on the ups website to track your shipment.

Thank you

John Henry
UPS Customer Care Department

grr.

September 17, 2008 at 5:04 am
(52) p***ed off says:

I got the same one from “John Henry” supposedly at UPS.com, it looked like a reply to my email which of course I never sent because I never had any packages gone missing etc, but it was very disturbing to think that they’re sending emails out with my name and email address as the sender. I bounced it and deleted it from the trash, god I hate these people. Why don’t they get a real job, or at least a life?

September 19, 2008 at 10:46 pm
(53) virus fix for you says:

The best way to remove this virus from your PC is to drop the computer in the trash and buy a mac

October 9, 2008 at 11:27 am
(54) Jenn says:

This virus is REAL. Beware. I just dealt with it for two days at work. If you ever get a virus, go to http://www.majorgeeks.com and read their malware removal forums. They saved my bacon! Highly Recommended, though you must do EVERYthing they say and pay close attention.

October 13, 2008 at 10:33 pm
(55) JML says:

I also accidentially opened it and my pc crashed immediately. It is booting but there is no mouse or keyboard present so it has done something. Could anyone recommend how do I get inside my computer and clear it?

October 28, 2008 at 12:45 pm
(56) Scott says:

I am experiencing the same problem. my computer just keeps rebooting after i log on. will safe mode allow me to stay logged in so i can remove the virus? or would i have to try something else. help would be appreciated.

November 13, 2008 at 7:00 pm
(57) MacRobin says:

Absolutely ignore anything unless your full name is in the salutation not your email address. Most of these things say “Dear valued customer,” or some such. Watch for the egreeting one, it’s out there again.

November 13, 2008 at 9:50 pm
(58) wayne says:

This is another example of the Dumbing Down of America. If the idiots who open this kind of email would stop for just an instant to think about how in the hell UPS got their email address, then wouldn’t get infected so easily. Those who have their computers infected with this virus deserve it for being stupid.

November 16, 2008 at 11:54 pm
(59) computerpro says:

Anyone with brains should know not to open attachments. First, the mispellings. 2nd, the majority of companies don’t send attachments. 3rd the zip file. Most that do send attachments send in a plain text or doc file, not zip. I hope the government find the crooks who wrote this virus and thrown them in a pool of sharks during lunch time. To me they are a waste of life.

November 18, 2008 at 11:35 am
(60) Stef says:
November 20, 2008 at 5:18 pm
(61) Anthony Ray says:

My girlfriend rolls a honda, playin workout tapes by Fonda

November 28, 2008 at 12:39 am
(62) LC says:

I’m an idiot and opened the zip, it was a UPS mail and I was expecting a package from them, now I can’t get into windows, just logs me off so I reinstalled a second XP so my pooter works but how do I direct the Anti Malware progs to clean the first (infected) Windows xp?

Cheers for all the info, great site :)

December 9, 2008 at 1:04 pm
(63) Ben says:

I done a system restore and it worked

March 29, 2009 at 6:59 pm
(64) Andrew Kent says:

How is it that we can anticipate these viruses and find ways to combat or remove them, but we never hear about who sent them or the countries that may be harboring them. I, for one, would eagerly support efforts to find and prosecute, or, failing that, to hunt down and kill, these reprobates, and to pressure any foreign nations in which they live to do the same. People who send viruses are no better than rapists and should be treated accordingly. At the very least, their hands should be cut off and their eyes poked out, thus making it more difficult for them to pursue this form of entertainment.

May 27, 2009 at 4:18 pm
(65) reffie says:

i own a mac. at pc users

June 3, 2009 at 2:07 pm
(66) jclvng says:

Mac haters, please get past your inferiority complex and get a life. Macs don’t get as many viruses because nobody cares to write them for Macs. There’s a reason you have no market share…it’s called consumer choice.

December 21, 2009 at 3:03 pm
(67) Tech Support Guy says:

We have dealt with quite a few trojan infections spawned by UPS/Fed Ex Delivery Failure emails in the recent months. Always delete them.
tech support guy

January 14, 2010 at 5:56 pm
(68) Kevin says:

I was dumb enough not only to click on the message, but also download the content. Please tell me, is the virus ONLY uploaded when I try to print, or have I already severely endangered my computer?

January 14, 2010 at 6:18 pm
(69) David Emery says:

Kevin,

If you haven’t actually run the file attachment, you’re probably safe. I’d suggest making sure your antivirus software is up to date, then running a complete scan.

January 14, 2010 at 6:20 pm
(70) Kevin says:

In that case I’m screwed, because I DID try running the attachment! I attempted a System Restore, but unfortunately, the System Restore did not complete. I am about to engage the Windows Malicious Software Removal Tool to see if that works.

January 14, 2010 at 7:27 pm
(71) Kevin says:

Okay, I’ve seen lots of comments that MalwareBytes works at removing this virus. Can anyone else confirm this?

January 19, 2010 at 5:01 pm
(72) Katie says:

To all of the self-righteous commenting who actually knocked the intelligence of those whose machines became infected: What do you mean “How did UPS get our e-mail address?” There are many couriers that use e-mail to relay package and shipment information. If you had done your research on this particular virus you’d realize that many of the e-mails had perfect grammar/ sentence construction. Also, “Anyone who has brains?” Maybe we should take a look at our own grammatical errors, hmmm? If you are technologically apt but still socially inept, get over yourself.

January 19, 2010 at 5:02 pm
(73) Katie says:

To all of the self-righteous commenting who actually knocked the intelligence of those whose machines became infected: What do you mean “How did UPS get our e-mail address?” There are many couriers that use e-mail to relay package and shipment information. If you had done your research on this particular virus you’d realize that many of the e-mails had perfect grammar/ sentence construction. Also, “Anyone who has brains?” Maybe we should take a look at

January 19, 2010 at 8:52 pm
(74) senang senang says:

Terima kasih banyak, saya pagi ini mendapat email yang sama dari UPS, tapi saya terlambat untuk mentyadarinya karena saya sudah menjalankan file yang disertakannya. tapi untung anti virus saya bekerja dengan baik.

you can translate with google.com/translate (indonesian)

May 13, 2011 at 11:38 am
(75) dee says:

mas, mau nanya pake anti virus apa? saya juga kena, thx

March 3, 2010 at 5:30 am
(76) Terry Mach says:

It’s back! The “UPS Failure to Deliver”
Virus!!!

Header:
From: Postal Manager Erin Pereira
To: My email address
Subject: UPS Delivery Problem NR 15875

ATTACHMENT NAME IS – UPS_invoice_715.zip (25 bytes)

Hello!

We were not able to deliver the postal package sent on the 5th of December in time
because the addressee’s address is incorrect.
Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

*********************************************

Note: Viewing the zip file appears to be empty and when scanned with NIS reveils files to construct a web page and a link to launch the virus.

Be suspicious when you get an email from a sender that does not have the official seal from UPS or FedEx in the body of the message. My first clue…….

Happy hunting!!

March 3, 2010 at 9:48 am
(77) F Hertz says:

UPS Delivery Problem NR 12676
invoice_365
Manager Mercedes Wang

Hello!

We were not able to deliver postal package you have sent on the 12th of December in time
because the recipient’s address is inexact.
Please print out the invoice copy attached and collect the package at our department.

United Parcel Service of America.

I’ve got it today , delete it from your deleted emails as well!!!

March 4, 2010 at 8:56 am
(78) Andy says:

I also got the message today. I had no prior knowledge of this scam, and thus downloaded, extracted, and tried to open the file.

It immediately made my screen flicker, and the icon for the file disappeared from my desktop. I knew this was not good.

My Norton did, however, tell me that SONAR detected the file and that it was behaving suspiciously. Norton then proceeded to automatically remove the file and it’s contents from my computer.

Am I now safe?

Since Norton detected and removed the malicious file, is that all there is to it or are there further risks that I should be aware of?

Thanks in advance for any replies. I am sure they will be helpful to many!

March 4, 2010 at 8:07 pm
(79) Sapna says:

Windows Live OneCare takes care of it. Use the 60 day free trial. I was a fool and opened the attachment because I ship with UPS all the time. It was a MESS! It took over my computer once I unzipped the attachment. I googled the virus name and read on a forum to use the Windows Love One Care. Thank god it worked. Hope this helps!

March 4, 2010 at 9:35 pm
(80) casey ellis says:

as a rule of thumb NEVER EVER open .exe files that comes in through email. there is no good reason to send them other than it being a virus.

March 5, 2010 at 5:53 am
(81) Q says:

I just got the email as well — I ship with UPS all the time so I downloaded the zip, but thankfully never extracted the .exe — .exe files in an attachment are immediate red flags.

March 8, 2010 at 12:30 pm
(82) Gog says:

i made the same mistake as well and opened the attachment,since nothing happened i tried to do it again.then my computer rebooted and the file was not in my downloads folder.everything seems to be ok.im worried that i might have become infected.there dont seem to be any indicators that i did,but id like to know that im not gonna have issues with personal information such as passwords and other information being stolen.i always use firefox in private browsing mode and have avg installed,i wasnt alerted at all about any potential threats,but of course my suspicions were aroused,hence i stumbled onto this page.

April 21, 2010 at 9:25 pm
(83) Avi Tennenbaum says:

It is back and very real. We already had one computer infected, had to reformat, lost everything, and this one almost got me. It took our IT guys almost a week to figure out where it came from.
—– Original Message —–
From: Manager Jackie Carter
To: My Address
Sent: Thu Apr 01 06:57:33 2010
Subject: UPS Delivery Problem NR.6418762

Dear customer!

Unfortunately we failed to deliver the postal package you have sent on the 6th of December in time because the addressee’s address is inexact.
Please print out the invoice copy attached and collect the package at our department.

United Parcel Service of America.

May 6, 2010 at 9:02 am
(84) Mark says:

Silly me had to open pandoras box. Did nothing until I turned on the computer the following day. The file is called vbnhmtot.exe I am currently running AVG and spybot, but at the present time will not let me open up the email and the main screen is now white. Any suggestions on fixing this? Cheers

August 25, 2010 at 11:33 pm
(85) Sudhakar says:

i got same mail from fedex.com is it true or not? i got mail from tortbal@fedex.com this id. please reply.

August 31, 2010 at 8:09 am
(86) Mitch McMillan says:

hi i receved this email,
and stupidly opened it i have a file running on my computer called rsmac3744 i cannot delete it through the trash can anybody help i have heard that it is a keylogger.
Should i just go to my local computer tech.

October 16, 2010 at 12:52 am
(87) yo says:

hi guys… today i got a spam email from united state postal
that email contain an attach file….

UPS_Document_NR1379.zip (25KB)

and i download that attach file…
then extract it…
then i found out
an application (with name : UPS_Document)

unfortunatelly i open up that file…. then that file was gone….

it’s that a virus…?? what problem that virus will do…??
how to remove it….??
thanks….!!!

October 16, 2010 at 1:54 am
(88) waz up says:

Hey guys,

I also received an email today, Oct. 16, 2010, in my yahoo account, spam folder….UPS Logistics Service, UPS Delivery Refuse,
UPS_Document_NR0264.zip, and inside the file
UPS_Document_NR0264.exe

I scanned it with Kaspersky Internet Security 2010…it did not detect a virus…I ran it in *safe sandbox mode*….nothing happened. Then I looked it up on an online file scanner….http://www.virustotal.com/……and it said that 23/42 virus programs found it to be a backdoor…..

So, what are your thoughts?? Did everyone randomly get the email? PLUS it’s from customer@ups.com, which sounds like a really official email address from the website http://www.ups.com

Any ideas??? Thanks, Peace out, stay safe

October 18, 2010 at 11:28 am
(89) Sairam says:

Just got the mail :

Attachment: Tracking_information_NR2447.zip

Subject: Error in the delivery address NR6902332

Body:
Hello!

The parcel was sent to your home address. And it will arrive within 3 business days.
More information and the tracking number are attached in document below.

Thank you for your attention.
UPS Customer Services.

October 29, 2010 at 6:33 pm
(90) Carissa says:

There is one for the USPS also, when I opened my antivirus program the explanation I got was that the initial virus then opens a second and so on, and it said to print out the pick up slip for a package at the post office- the licker was the email addy- it was .com and not .gov- pays to look at these things

November 5, 2010 at 7:05 pm
(91) Rushroman says:

I got this virus from a .jpg file I downloaded from a site I got from Google Images. I was able to get rid of it by restoring to a day earlier and then re-running all of my anti-virus programs again. MS Essentials missed before and after. Malwarebytes wouldn’t even start before restoring but got it after restoring and being able to run it. Spy-bot didn’t get it. That was my “fix” for it. Best of luck.

November 12, 2010 at 2:43 pm
(92) Nader says:

I got the FedEx email the other night and I was expecting a package, I scanned it with MacAfee and then I opened it by accident and nothing happened. I realized what I did and immediately deleted it. I then used spysweeper, MacAfee virus scan and malware and nothing came up. I even had a tech from MacAfee on my computer checking and he came up with no problems. should I be worried or did the Trojan not get on my computer?

November 25, 2010 at 4:15 pm
(93) rakesh says:

I too got this message,saying that FedEx Delivery Problem No681595981 to my yahoo mail,actually i was expecting some mails so i tried to open that,but the anti virus in the yahoo mail(Norton anti virus) gave me a warning and it did not allowed me to open that mail and giving me a demon notice when ever i try to forward it to my another mail address ,now i am shocked to learn about this virus from this blog.Thank you for the info and guys lets inform about this to every one by social networking sites etc so that no one will suffer further.

December 21, 2010 at 12:28 am
(94) Marina says:

Got the email UPS email today with a large zipped attachment – if it wasn’t for all the packages I already get during this holiday season from UPS I would have been tempted to open it….but that’s when I Googled the subject line and found all this info here! So glad that you all have continued to post over the last two years! Even more glad i didn’t open it!
Merry Christmas!
Marina

February 23, 2011 at 9:55 am
(95) michelle says:

I just recieved an email from “UPS”. It did have an attatchment on it. The only difference is that it did not say a package was undeliverable. It stated that…

“A package was sent to your home address. And it will arrive in 3 days.

More information and the tracking number are attatched in the document below.”

Just wanted to warn of this. They have changed their approach a little.

March 4, 2011 at 4:53 am
(96) Bee says:

To all those who were infected, try this: Turn off your computer by pressing on the power button for 5 seconds. (It should just shut down). Then turn it on again. There would be a prompt saying that the computer was improperly shut down, so it would suggest to you to Open up SAFE MODE. Do that. Open up your safe mode.

Then after opening that up, make a back-up of your important files. Try to burn them into a CD. Because sometimes, USB’s can get the virus even in safe mode.

After which, you have to run the task Manager by pressing crtl-alt-del at the same time. Look for svchost.exe and terminate that application. (Usually, svchost.exe is for trojans, but your computer usually comes with at least one of a svchost.exe application because of having an internet connection)

If this doesn’t work, I suggest you reboot your system. (Hopefully after you have created a back-up for your files)

:) Hope it helps!

March 22, 2011 at 3:39 pm
(97) sonny says:

yes bro u really helped me. i was infected for almost 4 hrs i’m reading what i have to be done. turn it off my loptop by removing the battery then restart and select safe mode then system restore! and thats it! thank you bro!
you save the day!!!!

March 22, 2011 at 2:16 am
(98) Gene says:

Just got Fedex and Ups tracking. Stupid me opened file. Even though Avast said that it blocked it , everything pretty much stoped working. Tried scanning with avast, then melwarebytes…, said no virus detected, any ways fast forward…. started computer in safe mode by pressing f8 durring boot, then run system restore to an earlier date.
Everything back to normal now.

March 24, 2011 at 6:28 pm
(99) Kevin says:

I received an email with an attachment ostensibly from UPS today. The email said I would be receiving a package in 3 days and that the attachment contained the shipping information. I’ve dealt with UPS and USPS enough to know it’s not their practice to send emails with attachments simply to provide a customer with shipping information. Besides, the originator of the shipment, not the carrier, usually supplies that information. I also questioned why a notification of a package sent to me would also be addressed to about 30 other recipients, as this was. It was all too apparent this was a malicious email, so of course I didn’t open the attachment and immediately deleted the email.

To some extent, I can’t imagine why anyone would open an attachment to such an email. Warnings about this type of email are frequent from many reliable sources. Combine that with a little common sense, as I applied in this case, and there’s not much reason to fall victim to this kind of crap.

March 30, 2011 at 8:55 am
(100) Roy says:

The current one I have received had a pdf attachment with parcel tracking details. I opened it as I was expecting a delivery (foolish, because the English was very bad), and the result was that all short cuts when double-clicked would cause Acrobat to open with a message to say that 5this was an incorrect file type.

Cure was to right click on programmes and click ‘open’ rather than ‘read’.Right clicked system restore and all OK.

April 4, 2011 at 6:43 am
(101) Nasrullah Khan says:

AHH! at one moment i thought that what and whome i was sent this to . . .

May 8, 2011 at 12:45 am
(102) Steve says:

I got an email from info432833@ups.com saying that an express package was sent to my home. the tracking number was very short, without the Z and it was obvious that this was not a valid UPS tracking number. What I don’t understand is how they were able to make it appear as if the email actually came from the UPS server. (UPS.com)

i did not open the attachment.

June 13, 2011 at 6:24 pm
(103) Gale says:

I just got an email from UPS today. Without even opening the email I knew something was wrong. I’ve never given anyone from UPS my email address, and plus the email looked really fake. It told me my package would be delivered in three buisness days, but then it told me to check the attachment. I can’t remember why it told me to check the attachment cause I deleted the email without second thought after reading the entire thing. But, after reading the other comments here, I’m really glad I didn’t open it!

I hope less and less people fall victim to this…

July 5, 2011 at 5:18 pm
(104) TB says:

I got spammed with this mail! I never opened it, but I’ve recieved this for 67 times! what can i do!

July 12, 2011 at 7:31 am
(105) Logan says:

I’ve got several of these which claim they are from ups, fedex as well as DHL…. Almost got me

August 17, 2011 at 12:08 am
(106) kevn says:

ahhh….I accidentally opens up a UPS email and my com is badly infected with virus…the anti virus software did block some but after I restart my com…all the icons in the C drive went missing. it had actually change all my icons to hidden status and block start task manager.
I had read the comments stated above but still I couldn’t find Buritos.exe and braviax.exe in window file, some more my restore point was deleted. Please help! What can I do?
Thanks

October 17, 2011 at 1:07 pm
(107) UPS virus got me crazy says:

Please If someone help me I got the false FedEx email and I opened it…my computer is infected and Im not beingf able to fix it in any way.
Can someone tell me how i can clean it..
Thanks in advance

December 6, 2011 at 3:03 pm
(108) Tash says:

hey guys i got that email and i opened it, but i did it on a mac so for some reason it hasn’t harmed my computer.
i couldn’t open it and i am really stupid so i forwarded it to my mum, who opened it on her PC. She then re-started her computer because it was slowing down severly, to find that EVERYTHING on her hard drive was unreadable and lost!

i didn’t know what to do but i deleted everything containing similar or the same content the virus email sent me but i’m not sure i’ve done the right thing for the mac OR PC.

for anyone who does get one of these emails, please take my advice and delete it straight away!!!!

January 15, 2012 at 1:31 am
(109) removal jobs says:

Pretty nice post. I just stumbled upon your blog and wanted to mention that I have really enjoyed browsing your blog posts. After all I will be subscribing to your rss feed and I am hoping you write once more soon!

February 14, 2012 at 6:03 am
(110) Tom THeo says:

The number of people who came here solely to call/make people feel stupid/inferior/handicapped for catching a virus makes me want to kill somebody.

Remember,while you regal your cats with the story of “the time you totally pwned this houesewife on a comment thread for falling for a scam!”, that we were all newbs, once.

Show a little class. People are trying to solve real-life problems by coming here. Not everyone can be a 1_173, Jedi Master.

February 27, 2012 at 6:31 pm
(111) ReetCart says:

check this link, , for special offer

March 5, 2012 at 12:10 pm
(112) knuclear200x says:

ARRGGHHH! its 2012 and I’ve been tricked!!! I did recently send a fedex myself, now i just received the email and opened it and everything. That’s when Avast starts popping up warnings. Dammit, what a nearly unfortunate coincidence.

March 13, 2012 at 5:05 am
(113) Still getting Fed-Ex Virus! says:

would also like to agree with one of the earlier comments about security;
Who is creating these viruses? How can I wrap my hands around their throats? Why aren’t we seeing them drug out of their homes and publicly flogged? Or… is there any money in these scams that we can get back, or is all that ill-gotten gain just gone?

Have still been safe (since I got my Mac) but sorry to say, the Fed-Ex Virus is still getting around! This is why I switched to Mac, I was spending countless hours waiting for scan after scan, updating content for virus guard, anti-spy/malware programs that made start-up excruciatingly slow. And then, even after all that…. all the bad stuff would still get through! That’s why I got a Mac, and my start-up time from off to online surfing is less then 90 seconds! After 2 years!

March 13, 2012 at 7:20 pm
(114) Steve says:

It is common practice for Fed Ex to re invoice customers for import duties and handling brokerage fees, even when already paid. What most people do not realize is that they have a system to double and triple bill customers who do not prove payment via Fed Ex Trade Networks and Federal Express Limited. When customers call in, agents are trained to take “extra” payments. A license to steal! No wonder profits are so high!

April 19, 2012 at 12:14 am
(115) Laura says:

So, I downloaded and opened this virus by accident since I was supposed to receive a package and it had not been delivered. Are there any updated fixes to the changes that have taken place with this virus? I’ve looked through any fixes I could find, and they seem to be outdated. Any help would honestly be appreciated. I know I should have been watching myself more carefully, but I was in a hurry since this package was time sensitive. Thanks for any help!

June 23, 2012 at 2:12 pm
(116) McRobert says:

I received this email/ zip file and because I was expecting a package from UPS I opened it. Immediately Microsoft Security Essentials quarantined it for deletion and my PC remained in a normal working state.

August 8, 2012 at 7:52 pm
(117) Patricia says:

just received it! august 2012 and still alive!

did not open, wanted to verify before! good thing!

be carefull!

August 24, 2012 at 10:47 am
(118) nes says:

I also received this in my e-mail I was fooled in to clicking on it from my handheld device. It told me it was unable to open file, so am I safe from the virus? I have Antivirus on our main computer, will that also keep my handheld device secure or do I need separate antivirus?

August 28, 2012 at 2:05 am
(119) Scott says:

Just got a similar email. The subject said UPS Tracking Number #****** and because I’m expecting a UPS package I opened the email. I then clicked “show content” and read the email. I didn’t click on the link though and promptly deleted it. Any chance I could get infected from just opening the email?

August 28, 2012 at 6:04 pm
(120) JDintheOC says:

The first time I received one of these emails, I actually had a UPS package waiting to be delivered. I had to wonder how they got my email address…and a disposable one at that. I readily deleted it and all those that followed.

August 30, 2012 at 7:59 am
(121) Babette says:

In the past few days I’ve received several messages with the subject line “Error in the delivery address” supposedly from USPS.com. It states that they failed to deliver the postal package I sent on various dates because the recipient’s addrss is erroneous.

Then it tells me to go to the nearest UPS office and show my shipping label, with a link to print a shipping label.

I have several email addesses for varied reasons, and I’ve received this message on two of them.

It’s obviously a fake because why would the USPS send me to a UPS office?

September 11, 2012 at 12:51 pm
(122) Kelsy says:

I had recently sent something from Fed Ex and was waiting for a package as well = (. I clicked on the link/ opened the zip file the whole shabangy bang.

It was an e-mail from Fed Ex. when i didn’t see anything I called Fed ex to see what was up and they said they think its a phishing e-mail.

What can I do at this point? I have a McAfee installed but it doesn’t seem to detect anything.

Helppss meee =’(

September 19, 2012 at 9:59 pm
(123) John Doe says:

Got an email claiming to from UPS. The email just contained a picture saying.

“UPS We <3 LOGISTICS
Unfortunately we ailed to deliver the postal package you sent on the 27th of August in time, because the recipient's address is erroneous.

Please print out the label copy
attached and collect the package at out office"

I click on the image and thank God Google has a malware protection tool. It detected the site was full of it and I knew it was bogus.

Funny thing though. When I right click to "view source" this message appears. I found a hidden message. Someone needs to decode it.

"
I own millions and millions of feet of affluent leads in Nevada, in fact the entire under crust of that country nearly, and if Congress would move that State off my property so that I could get at it, I would be wealthy yet.But no, there she squats–and here am I. Failing health persuades me to sell. If you know of anyone desiring a permanent investment I can furnish one that will have the virtue of being eternal. If you knew Senator Huskey as I do, you would agree with me that the Senator is indeed Huskey by name and husky by nature. A more complete parcel of huskiness you never did see, nor a jollier, more cordial and better hearted could you ever wish to meet, for he has never allowed the musty parchment to dry up the finer faculties of his sentiments, and he can appreciate a beautiful sunset, a fine verse, and in fact all Natures beauties, and yet be the big man and the great lawyer he is. Then too, the Senator is an enthusiastic sportsman and plays a splendid game of hand-ball. "

Also, the UPS picture is being hosted on their site and when I click on the picture the link URL is: http://www.adoptionhorizons.com

Aboption Horizons: Anyone know who they are?

September 25, 2012 at 7:50 pm
(124) Geek4Life says:

Still going, nothing outlasts this BS. Customer today waiting for UPS delivery got the “UPS Delivery Failure” e-mail from upsdelivery.com domain which is owned by UPS. Payload was “File Recovery” virus/trojan/ransomware/hijackware/rogue spyware.

The removal guides did not work for me. This version appears to hide itself in Safe Mode, Malwarebytes’ found 0 threats in SM, but found the virus in Normal mode and removed. Booted once, virus did not appear. 2nd reboot virus came back.

Only option was to manually find and remove all files and registry entries (do not attempt this unless you are MCSE or equivalent, these files are difficult to identify and deleting a wrong entry in the registry can really leave you in a bad place.) When it finally appeared the virus was gone (rebooted few times, no further replication) was able to run RogueKiller and UnHide per removal guide.

File names were random letters and numbers otherwise I would tell you what to look for. I hope you don’t ever have to deal with this perticular version. GOOD LUCK!

October 23, 2012 at 2:51 pm
(125) Melanie says:

I just got this one. There was no attachment, but there was a button indicating that you should click on it to print a delivery label. I smelled a scam, found this online info., and deleted the message.

December 6, 2012 at 5:22 pm
(126) Mike says:

This is the one I received. It was from UPS Logistics supposedly.
First mistake: UPS header – FedEx in body of letter

Second: Dec 2 was Sunday, not Monday.

Third: delivered AT Dec 4

Fourth: our “postrider”

Fifth: they can’t spell and grammar is atrocious.

Gotta love stupid criminals ….

FedEx

Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM
Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the par)+++cel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

GET POSTAL RECEIPT

Best Regards, The FedEx Team.

© FedEx 1995-2012

December 10, 2012 at 10:18 pm
(127) Nancy says:

Dec. 10. 2012 – just got the same mail as Mike (126). Whenever I get suspicious mail I R-click on it and go to “View Message Source” to look what’s inside…

December 26, 2012 at 3:49 am
(128) Karen Taylor says:

I have just received an email that looks suspicious and if the original comments are from 2008 so these emails are still around – be careful.

February 3, 2013 at 3:08 am
(129) meichia says:

Just got 3 emails, 2 from FedEx and 1 from Booking.com that are fake and are viruses. I did not open them. Heads up as they are still being circulated around.

May 19, 2013 at 4:36 pm
(130) Mary Ann Mealey says:

I just recieved my third notice from “DHL” in the last two weeks. Almost opened first one because I do alot of online shopping. Jst hit that handy red X.

Leave a Comment


Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>
  1. About.com
  2. News & Issues
  3. Urban Legends

©2014 About.com. All rights reserved.