This fake DHL spam has a malicious attachment.Date: Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From: Ramon Brewer - DHL regional manager [reports@dhl.com]
Subject: DHL DELIVERY REPORT NY73377
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45.
Checksums are as follows:
| MD5 | 85f908a5bd0ada2d72d138e038aecc7d |
| SHA1 | 017e82b1074dd210c0c41c8129d81e577d3c121b |
| SHA256 | bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b |
Whatever this is, it seems to be hard to analyse with automated tools. Comodo CAMAS does report the following registry key being created, which may help to clean up any infections.
| Name | Type | Size | Value |
|---|---|---|---|
| LM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched | REG_SZ | 96 | "C:\Documents and Settings\All Users\svchost.exe" |
No comments:
Post a Comment