UPS Virus Warning
Tuesday July 15, 2008
UPS has issued a warning about a new computer virus circulating as an attachment to emails purporting to originate from the "UPS Packet Service." The warning is authentic. The virus is real.
The bogus Packet Service messages claim a parcel sent by the user was undeliverable due to an incorrect address. The user is instructed to open an attachment containing a copy of the invoice. The attachment actually contains a virus which may infect the user's computer.
As a general rule, Internet users should always be wary of opening unknown file attachments, and maintain up-to-date antivirus protection on their computers at all times.
Text of the UPS alert:
• UPS Virus Warning - UPS website
• UPS Warns of Email Virus - WCCO-TV News
• Email Allegedly from UPS Delivers a Computer Virus - Minneapolis Star Tribune
Keep up with Urban Legends on Facebook!
The bogus Packet Service messages claim a parcel sent by the user was undeliverable due to an incorrect address. The user is instructed to open an attachment containing a copy of the invoice. The attachment actually contains a virus which may infect the user's computer.
As a general rule, Internet users should always be wary of opening unknown file attachments, and maintain up-to-date antivirus protection on their computers at all times.
Text of the UPS alert:
Attention Virus WarningRead more about it:
We have become aware there is a fraudulent email being sent that says it is coming from UPS and leads the reader to believe that a UPS shipment could not be delivered. The reader is advised to open an attachment reportedly containing a waybill for the shipment to be picked up.
This e-mail attachment contains a virus. We recommend that you do not open the attachment, but delete the email immediately.
UPS may send official notification messages on occasion, but they rarely include attachments. If you receive a notification message that includes an attachment and are in doubt about its authenticity, please contact customerservice@ups.com.
Please note that UPS takes its customer relationships very seriously, but cannot take responsibility for the unauthorized actions of third parties.
Thank you for your attention.
• UPS Virus Warning - UPS website
• UPS Warns of Email Virus - WCCO-TV News
• Email Allegedly from UPS Delivers a Computer Virus - Minneapolis Star Tribune
Keep up with Urban Legends on Facebook!
Comments
We are currently cleaning 2 workstations at client sites with this virus. It contained “XP Antivirus 2008″
I received a bogus UPS email a few days ago. It said that a package I sent was undeliverable. Luckily, the email was poorly constructed, and it was rather obvious it was fake (kind of like the Paypal & eBay hoax emails), so I did not click on anything. Remember: BE CAREFUL!!
ummm… so let’s talk specifics here. what is the payload? why is this not listed on SANS or any major security vendor websites? Try googling this and see what you come up with other than my friends niece got this and her computer totally locked up. my BS detector is going hog wild with this one.
The payload is the Agent.JEN Trojan delivered via a .zip file which, if run, introduces a copy of the Trojan into the computer.
Phony UPS Emails Used as Bait to Spread the Agent.JEN Trojan (Panda Security)
I received such an UPS email this morning (21 July 2008), with a ZIP file attached which was supposed to be an “invoice”. (If it was an invoice, it would be as a formatted text file like PDF or DJVU or DOC file, or a graphics image like JPG or GIF or PNG or TIF or PCX). I immediately suspected that it was a $cam or a virus, and did not run the EXE file inside the ZIP. However, the antivirus program AVG, which is updated daily, did NOT detect the Agent.JEN Trojan or any other virus in it, in either the ZIP file or the enclosed EXE file.
Be afraid! Be very, VERY AFRAID! I’m talking about rough package handling by UPS….not viruses. Ask a UPS employee about their outdated sorting equipment and the volume of damaged packages in their repair department. I’m never shipping with them again.
it got me cause I’m a fool, what can I do to get rid?
My Nortons didn’t flag it. But I’d already twigged that it was a payload carrying email. Needless to say, I’ve quarantined and submitted the sample.
I was not very smart, and opened this attachment, and now have the virus. How do I get rid of it? I can’t connect to the internet, I have tried using netscape and explorer. I do have McAfee. I’m not super computer savvy, but am good at following directions. Thanks for any help you can give.
This virus is very real. And when you are in a shipping department this one can get you. It seems familiar enough for you to open. Until you do, then it is to late!
We have 5 computers, all with bullguard anti-virus which did not detect the intrusion. The UPS virus has infected one of the computers having got by the B.T. Firewall, which deleted the incoming virus on all the other machines and was opened by an operator.
So far bullguard support has been unable to get rid of it. Has anybody else had any success getting this off their machines yet?
Does any geek knows how to get rid of this. It went into windows/profic file name ups_invoice 4 files in total we delted it but still popping up. Help please
Very real. Not sure of how much damage, but a few employees opened and our server crashed. Working on it this morning. I use Kaspersky antivirus on my laptop and had no issues.
A good antivirus program will prevent the infection. Kaspersky stops it right away, and even AVG deleted it upon downloading the attachment. Norton/Symantec Corporate/McAfee/CA/bullguard all allow the virus to take over the system. A knowledgeable professional is needed to remove the resulting infections.
Believe it. Just paid Dell $130 to clean up the havoc it caused.
this virus is real…our reception opened it as we commonly use UPS for a courier, it required manual removal and tampered with our anivirus (nortons) which didnt pick it up. we had to pay nortons an extra $100 to remove it. I thought that was BS what the point of buying their software then.
I did receive the email but because it was a zip file I did not download it but it did open the zip window. Am I correct in thinking that I do not have the virus if i did not open or download the actual file? I noticed the email (United Parcel Service [otymvh@brainsworkgroup.com]and did not open it.
So far this is the only way to remove the UPS virus. Follow the given link and do as instructed to fix UPS virus.
http://support.bicester-computers.com/showthread.php?t=18
Even though the email had many red flags, a couple of not-so-savy people opened it. The virus rendered all applications frozen, including our anti-virus software and required several hours of tech support to remedy.
I was able to remove the virus from two machines where the user opened the attachment. One way was to do a System Restore in WinXP back several days and the other was to download and run Malware Bytes.
Yes, this is real. It is a Trojan. So far Adaware 8.0 and Symantec’s Norton have not been able to get rid of it. They both find it, but cannot delete. I forwarded it to both software companies web sites. XP Pro keeps flagging that the workstation is infected. We put our outside Tech support on it.
I was dumb enough to fall for it too! I am computer savvy to an extent and it caught me early in the morning when I was still a bit groggy! However, It isn’t a very dangerous virus, but it does have a very irritating Red X message (telling you your computer is infected after you’ve run a system scan - but that IS the virus!) from the System Tray and it tries to sell you some phony software to “fix” the problem. Symantec and the rest have known about the issue since May, but because of the way it infects Windows they seem to be struggling with preventing it and cleaning it when it does get in. The fix actually requires a Windows Registry edit and some other steps that my IT guy at work was able to do. If you are having trouble, I would follow the steps that your virus protection gives you and if all else fails call a computer support company and have them help you. You don’t want this thing in your computer for long! Good luck!
FYI: I just received an email today - the same virus only this time it is from US Customs. It basically says the same thing as the UPS email. Needless to say, I didn’t open it this time!
We had the UPS Virus a few days back. We are now receiving this payload again with email purporting to come from Customs (that was yesterday). Today’s variant has a subject relating to “Your airline ticket”. In our case they said they come from Delta (haha, right). At this point, Symantec Corporate is not able to remove the virus. It is detected, but can not be removed.
I have a MAC.
I accidentally click on this as I was going to errase it.
It put TWO files in my MAIL DOWNLOAD folder.
Am I infected? On file was an .exe file and the other the ZIPPED file. I deleted both.
Anyone know if this has infected my MAC?
Norton and McAfee never catch anything…I took McAfee off my computer and installed another antivirus that has caught everything. Haven’t had to test the USP trojan, though. After reading this, I WON’T be testing my antivirus against it!!!
I got the same email from Canada Customs. SAys I had a package waiting and needed to clear it, please fill out attached form yada yada yada. Since I am smart enough to know I am not expecting anything, and smart enough to know that any file with a .exe or .ZIP sent through email is likely to be bad news, I just ignore them. If it was paperwork attached it would be in the form of a DOC or PDF likely.
2 of our pC’s got caught with this virus, it took the Norton’s guys 2 attempts and 6 hours to clear it off. Nasty.
As well as the one from customs, there is another one going around, asying yor credit card has been debited with $400+ for airline tickets with an attached copy of the receipt.
We had this infection on Thursday, 24 July 2008 around 4pm EST. The approach was similar- a delivery failure notification with all the relevant information correct: Store Number, Time, Date, Tracking Number.
Huge problem. It was followed by an offer to download a fix for XXX$. The download was charged to my wife’s credit card in rubles within 15 minutes.
The ‘fix’ did nothing, and my wife, who is fairly savvy, wasn’t able to remove the viruses on her own. With one phone call, Norton took over, and after several hours of work, she got her system back, for which we are most appreciative.
Still, we had to close all our bank accounts, cancel all ATM/ credit cards, automatic payments, etc., and go through the re-start process. Nothing was stolen from our savings or checking accounts, but what a nuisance!
I blame UPS for not making the problem known. All the specific information supporting this scam was known only to UPS.
Best advice I can give is to ask Norton to help. They did a great job of disinfecting.
It is not UPS’s fault. Period.
Norton Antivirus or any Antivirus won’t help at all. Period.
I have followed a link posted above and thanks God it did clean my computers. Thanks for the forum and here is the link:
http://support.bicester-computers.com/forumdisplay.php?f=31
Good luck!
I got an e-mail with a FEDEX attachment after I got the UPS e-mail. I copied the # it gave, went to FEDEX site and sure enough, no packages. I hope someone can spread the word, it’s not just UPS. They say both companies are working harder because of gas prices - more people shopping online.
the UPS delivery virus rumour is true, my computer was affected by it i had to do a `clean` install of xp beware!
We just received a copy of this email in French. Just a little twist on the olriginal message. One of our work computers was infected, but it is now clean and working well.
I have the virus and now I cna’t even turn on my computer. It loops from the start and when you log in your comouter it restarts itself and the process starts over and over and over and over. HOw do I fix a problem when I can’t even get in to the comouter to fix it in the first place? Can someone help.
To manually remove, rename the trojan, look in the c:\Windows and c:\Windows\System32 folders for the most recent files, normally Buritos.exe and braviax.exe, but others may be possible. You can’t delete them because the programs are running, but you can rename them. You should then copy some other .exe, such as winhlp.exe and rename it to match the trojan files. (This prevents the files being recreated.)
Now open the device manager and view->show hidden devices. Now uninstall Beep and delete the beep.sys driver. You can then scan for hardware changes and the proper beep.sys will be reinstalled.
Reboot and all should be well. You don’t even need to drop into safe mode to do this.
i am genuinly waiting for a UPS package which is late that i sent from Australia, so ive been away and not to savvy on recent viruses….so opened it and my computer is suffering!!
This is how I got of the virus
First you need to stop the program from loading on startup. This is what you do to stop it:
Start, run
Type msconfig
Go to Startup tab
Uncheck lphc35dj0e1an
Uncheck rhc75dj0e1an
Click apply, then ok
Restart computer
Then you need to delete the main files this program uses. Delete the following files:
C:\windows\system32\lphc35dj0e1an.exe
C:\program files\rhc75dj0e1an\rhc75dj0e1an.exe
This should remove the program from your system but you probably still have a warning message displayed as your wallpaper in Windows and the virus removed the ability to change the wallpaper or your desktop settings.
To restore ability to change your desktop settings and select a different wallpaper and screen saver do the following:
Start, run
type Gpedit.msc
Navigate to User configuration, Administrative Templates, Control Panel, Display
Right click on Remove Display in Control Panel
Click on Properties and select Disabled
Do the same steps to change the following attributes to disabled:
Hide Desktop Tab
Prevent changing wallpaper
Hide Apperance and Themes tab
Hide Settings tab
Hide Screen Saver tab
You should now be able to use your computer normally and change the wallpaper to something other than the warning message Antivirus XP 2008 set it to.
I got this email at work…was very early in the morning and our server had crashed and burned the day before..the “infection” notification came a few hours later…our tech ended up spending a whole lot of time cleaning the computer and actually ended up having to basically remove everything from my computer and reinstall all of the programs again…fortunately, because the server had been down (some emails were not working), we figured out what the cause was and when all other email addresses worked again in the office, we knew exactly what we were looking for. Sometimes it is very easy to become dependant on your antivirus and believe that it will stop ANY THREAT that comes your way. At least now we know better
Somehow this virus got in out computer and that email wasent opend it was deleted we are running avg it catches the virus and quarenteens it but by that time my desktop has changed it and have run multiple scans with no luck and run my avg spyware one run after the other and still flooded with crap so am now running malwarebytes antimalware hope it works a lot of forums have said to try it fingers are crossed gl to all trying to get rid of this horror if i cant get rid i will get rid of it by backing over my lappy plz dont come to that hehehe
The reason it’s called a virus is because it evolves. Yesterday I got several calls for cleaning up after this, and it’s not just Braviax and Buritos, there is a host of other viruses and spywares this time.
Alecia, If you or someone you know is fairly tech-savvy, there is a way to boot from a Linux CD, download a free antivirus software and update it, then clean your machine by booting from the CD. That way anything the virus controls while Windows is booted, is nullified.
First you, or someone who likes you, need to go to
http://www.knopper.net/knoppix-mirrors/index-en.html
and download the image file from a site that is geographically near you, and then burn the image onto a cd.
Then you need to download and install a software called Antivir, so you can scan your hard drive from a Linux kernel. Here is a link to how to do this:
http://www.knoppix.net/forum/viewtopic.php?t=28908
Once the virus is gone and you can boot XP again, you will still have troubles to deal with, but at least you can get to that point with this method.
Good luck
I just received a “FedEx” version of the same.
Ok - the FedEx email got my home pc. I know when I got home last night, I would login and it would immediately log me out. I will try to boot in safe mode and hope it allows me. If not, am I just outta luck?
i just got the fed-ex email today at work….luckly i did not fall for it this time….thanks to this site….
new version is Western Union
From: “Lakisha Dunn”
Subject: Western Union MTCN #3005166639
Date: Thu, 28 Aug 2008 11:47:03 +1000
Attention! The wire sent to Maksim Zverev, Moscow, Russia has been blocked by our security service.
Your credit card issuing bank has halted the transaction by the demand of the Federal Criminal Investigation Service (case No. 99281 since the recipient has been undergoing the international retrieval by the InterPol.
Please contact the closest Western Union office and make sure you have your ID card, the credit card that was used for making the payment, and the invoice file with you.
(The invoice file is attached to this message; please print it out and hand it to our agent.)
I am getting 2 of these a day. The one this morning was supposidly from American Airlines about an airline ticket! I had to print off my ticket and of course my crdit card had been charged! Another was something to do with a payment to Western Union being stopped as the holder of the card was being investigated by Interpol!
I delete them all immediately and empty my Deleted Items folder too. I also run a Internet Files Destruction Programme but I still keep on getting these emails! BE AWARE
america watch tree ibm university england
I am in Argentina and today I received the email from a co-worker who thought it was mine (I run the Foreign Trade dept.), I suspected something was wrong, first because we have no account at UPS and second, because the attachment was a zip file.
I went straight to UPS’s site and saw the press release they made on it. I immediately erased it.
After the first email from UPS we have received 3 more emails, same style, same attachment, different “subject”. We have released an email for the whole company and also to all people in our mail list to inform them about it; I think you should do the same. Is quite a problem this virus, so it would be good to inform as much people as possible.
Be extra carefull at opening files, no zip or .exe file should be opened, not even from known people. Ask first!
i just received this email today–and it’s also bogus:
Warning: This message has had one or more attachments removed (invoice.scr, invoice.zip). Please read the “MBG-Attachment-Warning.txt” attachment(s) for more information.
Mr./Mrs. XXX
I am sorry for this late reply, but we have good news.
We managed to track your package, and we have attached the invoice you asked for to this reply.
The invoice contains the correct tracking# , since the one you gave us was invalid.
You can use it on the ups website to track your shipment.
Thank you
John Henry
UPS Customer Care Department
grr.
I got the same one from “John Henry” supposedly at UPS.com, it looked like a reply to my email which of course I never sent because I never had any packages gone missing etc, but it was very disturbing to think that they’re sending emails out with my name and email address as the sender. I bounced it and deleted it from the trash, god I hate these people. Why don’t they get a real job, or at least a life?
The best way to remove this virus from your PC is to drop the computer in the trash and buy a mac
This virus is REAL. Beware. I just dealt with it for two days at work. If you ever get a virus, go to www.majorgeeks.com and read their malware removal forums. They saved my bacon! Highly Recommended, though you must do EVERYthing they say and pay close attention.