Sponsored by..

Wednesday, 14 April 2010

"IMPORTANT: Royal Mail Delivery Invoice #1092817" Virus / Trojan

The wording may vary, but this is a PDF exploit currently doing the rounds pretending to be from Royal Mail. Sophos, F-Secure and Avast detect it along with some other products (VT results here) but otherwise detection is patchy.

Subject: IMPORTANT: Royal Mail Delivery Invoice #1092817
From: "Royal Mail" <delivery@royalmail.com>
Date: Wed, April 14, 2010 11:28 am

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.

Attachments:
Royal_Mail_Delivery_Invoice_1092817.pdf

The bad PDF file looks like some sort of calendar, I have not yet been able to analyse exactly what sort of evil things it does.

If you still use Adobe Acrobat then you should make sure that you update to the latest version which is 9.3.2, or use an alternative like Sumatra.

6 comments:

Soe said...

I did get exactly the one you mentioned.
I have disconnected from internet and scanning my computer with anti-virus and anti-spy ware. Until it all came out all fine with anti-virus and anti spyware, I am not going on-line again. Worry about backdoor trojans and keyloggers.
It is 10.10pm now. I got home from work and open the email by mistake at around 9.30pm.
I am online with my 2nd laptop, trying to find out about "Royal Mail spam with attachment" and found your comment. Thank yoy for
warning.
Greater London

bazzrington said...

I too just opened this and I'm normally pretty savvy about such things). Do you know what the actual exploit is - I'm only running Reader 8.1.1

Should I panic yet?

Soe said...

Hi bazzrigton
I went to Adobe and update my reader to 9.3.2 latest version.
As far as I know it is aim at version 9.1.
The virus have different names depending on your anti-virus software-----
1.Exploit.PDF-Dropper.Gen
2.SPR/PDF.Dropper.Gen
3.JS:Pdfka-XN
4.Riskware.PDF.Dropper.Gen
5.Mal/Koobface-B

You can detect with your antivirus software and delete it.

Put "Exploit.PDF-Dropper.Gen" in search engine or Google it and you can find out more about it.
Takecare and God bless

Soe
Greater London
4.50 am

Le said...

Pls send me the PDF virus sample!
Thanks!

Terry said...

I am a security specialist.

I am looking for "Royal Mail Delivery Invoice.pdf" sample.
Could you plz share with me.
Thanks

e-mail: secnet@paran.com

kaito said...

I'm looking for the "Royal Mail Delivery Invoice.pdf" sample, like Terry.

Could you send me the sample?
Thanks.

e-mail:kaito834@gmail.com