UPS delivery Trojan opened and sitting in my mail downloads help please

Discussion in 'macOS' started by iamnotamachine, Feb 1, 2010.

  1. iamnotamachine macrumors newbie

    Joined:
    Feb 1, 2010
    #1
    G'day

    Having become virus complacent over the past 12months (ex windows user now proud macbook pro lover), and expecting a parcel from the states, I did not pause to consider a thing, before clicking on the .zip mail attachment purportedly from UPS.

    I now have two files
    1. UPS_document_Nr28451.exe
    2. UPS_document_Nr28451.zip
    showing in my mail downloads

    The .zip opened as a window of gibberish.

    I scanned them both with ClamX which cleared both (no viruses found), then removed both to trash and erased them.

    Reading elsewhere, I have come to suspect that I have been playing with either
    TROJ-DLOAD.GG
    or
    TSPY-ZBOT.NM Trojan
    or both.

    As ClamX is not recognising them, I am left very uncertain that they are no longer on my system, and are having no effect.

    Being new to this problem on mac, I have no idea how to check my system for trojans other than ClamX.
    And even my knowledge of ClamX is sketchy, does it check for malware/trojans as well as virus infections?

    Any suggestions would be greatfully appreciated.

    I searched for this topic, dcouldn't find it, but if I am repeating known issues please forgive my newby state.
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    A .exe file cannot run on a Mac so it is of no harm to you. Just delete and be more careful in the future. There's no virus on Macs so no worries there. It sounds like it is not completely certain if the file is truly a Windows trojan so that could be why ClamXAV is not detecting anything. You could also have old virus definitions or that one isn't in their definition list yet.
     
  3. iamnotamachine thread starter macrumors newbie

    Joined:
    Feb 1, 2010
    #3
    Thanks angelwatt that helps clarify.
    I had thought an .exe file inoperable on mac but wasn't 100% certain I hadn't missed something.

    again thanks for the help.
     
  4. KingYaba macrumors 68040

    KingYaba

    Joined:
    Aug 7, 2005
    Location:
    Up the irons
    #4
    Trojans are not viruses fyi. If you're really paranoid yet very curious might I suggest opening it in a virtual machine? I do this all the time by the way. Who cares if you muck up a vm. :cool:
     
  5. kevinkendall macrumors newbie

    Joined:
    Sep 16, 2007
    Location:
    Denver
    #5
    I got the "UPS_document_Nr28451.zip" yesterday also

    I've been getting a lot of those pesky UPS "could not deliver" virus emails lately, ever since I got onto Facebook a while back & did a lot of changes to my account. Popups came up while on there that said my email address needed updating. Looked official, so I did it. Within a day or two, the UPS trojan viruses started showing up in my Inbox every 2-3-4 days or so. I got about 7 of 'em total. Finally, I unzipped one of them & found an EXE inside, which I wasn't worried about at all but after researching the thing I discovered that it's an old Facebook-specific virus. I sent a virus warning email out to friends, et al.
    So eventually I got smart & a couple of days ago I got into my domain's email setup util area & set up a filter that would take all those viruses out (I'm not paying for junkmail/virusmail protection from my domain host). Some of the attachments' names were different so I used the reply email address as the primary criteria plus several other secondary criteria, & I enabled wildcard searching. This way, the viruses would get snagged at my domain's Inbox, which means I wouldn't see them in my Apple Mail Inbox when it downloaded messages from my domain Inbox.
    But yesterday, guess what...... ANOTHER one. Having a *different* reply email address. Different from the previous 7, & only a day after I'd set up my filter based on those 7's reply address.
    So I got back into my email setup & this time, I made the primary criteria just "ups.com" but made an AND function of that with a part of the never-changing subject line & an AND with a part of the body text. Plus an AND that it have an attachment.
    Then I decided to do some sniffing around the email & internet about this, & I wrote up an email, sending it to an address I found in the email's header & several more I found in whois info attached to a couple of IP addresses in the header.
    So I'll see how all this works out..... It ought to work ok.
    And if not, I'll just set up a tighter rule in my more-flexible Apple Mail's rule maker. They're harmless to my Mactop, as far as I know, but they're really just getting to be a pain in the arse with the sender's insistence. Some dumbguy, somewhere. A malicious dumbguy.
    If this is of any help to anyone or supplies clues about anything to anyone reading this who might be wondering about this pesky skeeter trojan, here ya be........
    Long live Macs! Love em. MUCH better than Windows......

    kevinkendall :apple:


    =======================​

    Hello

    This email I am sending to you all is in regards to this email I received:

    On Feb 1, 2010, at 11:08 AM, Manager Roland Woodard wrote:
    [​IMG]
    First, attached to this email is the trojan virus "UPS_document_Nr28451.zip"
    HERE IS THE NOBRAINER DISCLAIMER: DO NOT RUN THE EXECUTABLE INSIDE THE VIRUS' ZIP TROJAN SHELL.
    The email's complete raw source text, including the virus' code, is at the very bottom of this email if you'd like to take a look at it.

    The virus email's attachment, which I received yesterday, is a variation of a type of "UPS Delivery" trojan virus that I have been receiving regularly for about 2 weeks now, since approx Jan 15, 2010 or so.
    It is not a threat whatsoever to my machine, but seeing them in my Inbox is becoming annoying.
    2 days ago I set up a filter on my domain to capture the incoming viruses using specifically, among other criteria, the replyto address of all 7 of them, which was the same address in all 7. Yesterday, however, after creating that filter, I received another one having a different email replyto address & so this latest one bypassed my brand-new filter & got into my Inbox.
    And there is maliciousness behind the sending of these virus emails despite their harmlessness to my own machine, so I am writing you to tell you that if you are the senders, that your malicious behavior, at least towards me but of course I include all of your victims, must stop.

    A) If these virusmails are deliberately originating from any of your email addresses, STOP SENDING THE VIRUSES. AS OF TODAY, *STOP*
    B) If you do not know anything about the virus emails & from whom they are being sent, then this email from me is a warning to all of you that your email addresses are being hijacked for malicious use by evil people & you ought to look into getting law enforcement/FBI/Federal govt agencies/etc. involved in investigating the source(s) of the virusmails, forwarding this email of mine to the agencies if you like.

    All of the below-listed email & IP addresses are visible in this particular virus email's header info:

    [​IMG]
    Subject: UPS Delivery Problem NR 38946.
    Date: Tue, 2 Feb 2010 02:08:59 +0800
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_01CAA369.A08E62E0"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0006_01CAA369.A08E62E0
    Content-Type: text/plain;
    format=flowed;
    charset="iso-8859-1";
    reply-type=original
    Content-Transfer-Encoding: 7bit

    Dear customer!

    Unfortunately we were not able to deliver your postal package sent on the 8th of December in time
    because the recipientís address is erroneous.
    Please print out the invoice copy attached and collect the package at our department.

    United Parcel Service of America.


    ------=_NextPart_000_0006_01CAA369.A08E62E0
    Content-Type: application/zip;
    name="UPS_document_Nr28451.zip"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="UPS_document_Nr28451.zip"​
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    @kevinkendall, you really shouldn't post your email address like that, it's a sure fire way of getting lots of spam as spambots go through web pages and grab them up.
     
  7. CylonGlitch macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #7
    Another thing to remember is that there are tons of ways to fake the return addresses and many of the end users have no idea that their email addresses have been hijacked. This is often done because the hackers target the mail servers directly, bypassing the end user and then use those mail servers to send email using any user's email address. Thus sending letters to them is most likely totally useless; they have no idea this happened, and no idea how to fix it.
     
  8. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #8
    I have crossover installed. This means that I can open exe files in OS X. The ones I open are mostly self extracting zip files posted by companies too lazy to think about anything but Windows. There is nothing for a virus to infect because even if I run them, they run in a fake win 2000 environment that goes away when the file finishes running. If they try to make changes to the registry or open an outlook address book to email all my friends, they stop dead because there is no such thing.

    If, however, you run some flavor of windows under virtualbox, parallels or bootcamp, (the windows portion of) your machine can get infected and you could wind up with a virus or adware living on whatever partition us run windows from. It is best to be careful what you open whether you've got crossover or parallels installed or not. It's just common sense safe computing.

    @kevinkendall: please edit your post to remove ALL full email addresses. Not only you, but everybody else listed in your post is now a possible spam bot target. Guess where those UPS trojans come from? The very spam bots you are feeding your email addresses to. :eek: If you want to post your email address for all of us to see, it should be something like this: somebodyATsomethingDOTcom, without a mailto link. First the spam bots look for mailto: links. Then they look for @ signs. If you follow my suggestion, the spam bots are less likely to figure that out and add you to a list of future email scam victims.
     
  9. kevinkendall macrumors newbie

    Joined:
    Sep 16, 2007
    Location:
    Denver
    #9
    Yup -- Screwed up

    woops.:cool:
    yup, yer right.
    I was going too fast.
    I was thinking at the time to go to my website homepage & copy my email address that I've got there encoded in HTML entity code to prevent exactly what you reminded me of:
    [​IMG]
    The theory is that when the email sniffers go sniffin' through my homepage's sourcecode they won't parse the HTML entity code into ordinary ASCII. Should work that way. I've been thinking though that I need to do some research on that RE: current email sniffing 'bots operations 'cause parsing HTML code into ASCII's pretty basic stuff. In the past I've used Javascript encoding gizmos to hide my email address from 'bots, but I'll keep it as is for the time being.
    Anybody out there know of any online testers that'll test one's webpage sourcecode for 'bot vulnerability, specifically email address sniffing/detection?

    I should be able to get back into that post & wipe out my email address there though, I think, or replace the ascii text with the HTML entity code.
    <thWACK upside the head>
    Thank you for the heads up. My Apple Mail's pretty good at filtering, plus I've got Junkmatcher doing additional filtering in Mail. But having that's no excuse for dumbly dropping an email address into a forum post, especially on a site as popular as MacRumors. The 'bots are out there....
    duhhhh
     
  10. kevinkendall macrumors newbie

    Joined:
    Sep 16, 2007
    Location:
    Denver
    #10
    Sorry - That was sooo dumb of me. Wasn't thinkin'

    I know better, I really do. :eek: Just giant brain fart......
    I screenshot-PNG'd all the sections that have email addresses in them.
    ALL email addresses throughout my post are now PNG pictures, not text.
    Won't happen again. sorry. dumb of me. And inconsiderate of the other people's/group's email addresses who, because this is a virus-related email, may be innocent victims of the stranger-hating jerk malcontent who originated the virus email.

    kevinkendall :apple:
     
  11. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #11
    Bots act however the programmer designs them. Some will only look for mailto: links and plain text addresses, others are smart enough to figure out the "name AT domain DOT com" scheme as well as the HTML encoded method. Most use very basic methods though because most people just put up email addresses in plain text so they don't have to be any smarter. The safest way is to use a contact form so your email address isn't there in any form. I've given presentation on spam bots for work, they can be very smart if they want to be. Thankfully most are pretty bare bones.
     
  12. kevinkendall macrumors newbie

    Joined:
    Sep 16, 2007
    Location:
    Denver
    #12
    hmmmmmm
    Good info, angelwatt. Thank you for passing that on to me, & to the others following this.
    And thanks also for validating the doubts I had about what I thought to be my tricky little HTML entity codes in place of ASCII text for spelling out my email address. I figured that that was probably just way tooooo easy but wasn't sure. :rolleyes: This is the first forum I've asked about that in.

    So by "contact form," I'm assuming you have in mind some HTML form-making code which within itself makes reference to a server-located PHP script within which the email address is located; if my assumption is correct then that's not an option for me. My hosting outfit charges per-month extra $$ for such stuff. My site's not a biz site, just a simple little personal site and so in simplicity, I pay just a flat yearly charge & at this point, I have no real need for PHP & all that. I'd LIKE to, but I don't want to have to pay the bucks just for that at this point in time.

    So....... That leaves Java scripts only, from what I have discovered in my researches. What do you think of specialty Java scripts that are written specifically to hide email addresses from 'bots? May I ask what your professional, etc experiences & thoughts on those are in relation to 'bot sniffers? I do not know Java well enough to write code, only "reverse-engineer" the uncopyrighted codes I find, nor do I have understanding of obscure internet wizardry means & methods, so I'd like to ask you, someone who seems pretty knowledgeable in this area, if you know of any such thing as, say, Java-busting 'bot email address sniffers, which if so may preclude even the use of a simple address-hiding chunk O' Java?
    TIA, aw
    kevinkendall :apple:
     
  13. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #13
    One quick clarification, Java and JavaScript are two completely different programming languages. JavaScript is the one you're able to use on your site. JavaScript can be used rather successfully against spam bots because it's rare to come across a bot that processes JavaScript on pages, and those that are that sophisticated generally have bigger dreams than finding some email addresses. That said, requiring JavaScript for seeing the address can reduce the accessibility of the address. People like myself have JavaScript disabled for a web site by default (using NoScript addon) so would miss out on the address. Using an image of the email address is equally inaccessible for blind users and those using screen readers and makes it a pain for sighted people because they can't just highlight and copy 'n' paste it.

    One recommendation, is to use a 3rd-party site to handle the contact form processing so you don't need to be able to handle the PHP on your site. One such service comes from Kontactr (free). I have not used this service or any like it so can't vouch for it myself, but this type of service is one of your best bets. From the web site it says you can either supply a link on your web site that will that your visitor to the Kontactr site to fill out the form, or you can embed a form on your site that will redirect the message through Kontactr without the visitor having to leave your site. Here's an article that led me to it and talks some pros and cons of the service.

    I noticed that Kintactr has CAPTCHA as part of it, but if possible I recommend disabling that part, at least at start. Nobody likes figuring out what letters are present in the image and can turn some people off from leaving you any feedback. If though, you start getting a bit of spam messages through it, you can always enable it. I'm not sure what methods they use in their form to combat spam attempts.
     
  14. kevinkendall macrumors newbie

    Joined:
    Sep 16, 2007
    Location:
    Denver
    #14
    WOW
    In writing this reply to your helpful rundown on Java, etc I feel like I'm saying "Thanks, professor!" & walking out the door of a college computer science classroom.... [​IMG]
    hehehe Thanks very much for taking the time to get all that info together & writing it all out, aw. I REALLY appreciate the detail, & the links & so forth.
    One thing I've noticed after freeing myself from the trickeries of

    [​IMG] The Dark (Darth??) Side [​IMG]

    is that Mac people are generally much more noticeably non-condescendingly helpful with actual, REAL info for other forum posters, your reply to me being a prime example of such. Contrarily, so many usually substantially clueless Windows forum posters end and/or intersperse their spiels with "I think" or "Try this" or "maybe" or the most usual one when the "helpers" have run out of genuine knowledge, "you might have to reinstall..... blabla." LOL! And then there's the everpresent seemingly inherently-incipient Windows troll posters, too that ya gotta waste time glancing at, judge as ignorable, & scroll down past to look for the good stuff.
    Anyway, I will check out the "pros & cons" link you left & the Kontactr homesite link & see what they're all about. By your descriptions, Kontactr sounds to be a workable solution to hiding email addresses from the vampire 'bots for budget noncommercial website owners like myself.

    And RE: the kaptcha stuff — I'd be inclined to disable that if I were to go with Kontactr, as you touched on. I understand its necessity these days but without my Mac's onthefly zooming capabilities (see pic below), I otherwise go through 4, 5 or 6 of those kaptcha pictures before I get it right. And I assume that the batting average isn't too awfully a whole lot better with most other people's attempts either especially for those who don't know how to zoom in & so I wouldn't want to subject others to that kind of security bottleneck for simple emailing of innocuous stuff. Probably wouldn't even be necessary, I think, really since all the pertinent personal info would be located inside one's Kontactr account on some server in Cincinnati or Hoboken or :eek: Shanghai.
    TIA, aw
    Your helpfulness is much appreciated.......
    kevinkendall :apple:

    NOTE TO FORUM MODERATOR:
    I'll try & keep my posts down to smaller sizes in the future... I ramble & get carried away a lot of times with the fun I'm having, I know.
    And sometimes even do dumb stuff like include forgettable screenshots as below (it's only a hundred-K JPG though).
    Chemical imbalance, yaknow. :p
    But hey......
    Keep up the good work. :D


    [​IMG]
     

Share This Page