Sponsored by..

Wednesday, 20 February 2013

USPS spam / USPS delivery failure report.zip

This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.

Date:      Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From:      USPS client manager Michael Brewer [reports@usps.com]
Subject:      USPS delivery failure report

USPS notification

Our company’s courier couldn’t make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.
The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.

The VirusTotal detections for this are patchy and fairly generic. Automated analysis tools are pretty inconclusive when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start.

No comments: