New FedEx Virus Email

Mark Berry January 28, 2012

Back in November, I wrote about an airline ticket virus email. Now it’s FedEx:  today I received this email supposedly from FedEx with a zip file attachment:

Fedex Virus 1

If you open the zip file to see the “invoice,” you’ll see what looks like a a PDF file:

Fedex Virus 2

However if you go to Windows Explorer and uncheck “Hide extensions of known file types,” you’ll see that it is actually an executable file:

Fedex Virus 3

Don’t run it! That means don’t double-click on it to “open” it. It’s got to be a virus.

Another clue:  the subject line refers to USPS but the body refers to FedEx.

This virus bypassed the VIPRE anti-virus on my computer. www.virustotal.com shows that only 2 of 43 engines currently recognize it as a virus.

As usual:  if you don’t recognize the sender, or are not expecting the email, don’t open the attachment! In fact, I’d say just don’t open attachments from anyone unless you personally know the sender (e.g. a friend or colleague) and you are expecting them to send you a file. Big companies are not just not sending email with attachments.



8 Comments

  1. David   |  February 01, 2012 at 12:48 pm

    What if my father already opened this file? Any info on what it does or did to his machine and how to fix would be helpful. Thanks – David

  2. Mark Berry   |  February 01, 2012 at 1:04 pm

    David – so far no one has commented on what this one does. I ran a brief test on an isolated machine. All I could see immediately was that it deleted the install file, but it could have set up all manner of background processes. It looks like almost half of the AV engines are detecting this now so would choose one that is, run a scan, and see if it can remove it. Here’s the report at http://www.virustotal.com (if Analysis date is old, click on View latest):

    https://www.virustotal.com/file/23669678beef5154f8bf9dec03458a45636a39025c8ff4dbe199a53b967dac1e/analysis/

  3. B   |  March 15, 2012 at 1:03 am

    Hi Mark,

    Thanks for your comments. I too was conned with this email, thinking it was a legitimate parcel that I had ordered some time ago which had gone missing.

    The hardest thing was when I Googled the Fed Ex customer service email it came up as a genuine email address at Fed Ex so presumed it was my missing parcel.

    Although I did download the Winzip folder and double click on the document it said it could not open due to the file being corrupt or a component of the file missing. When I found out what it was I shut down my computer immediately.

    All scans to date and the server anti-virus logs have not detected anything so I am presuming all is OK? Or does the virus not get detected by scans?

    Did you experience a similar scenario when you tested out the virus?

  4. Mark Berry   |  March 15, 2012 at 10:25 am

    B – I think you are okay. I was actually able to open the zip file and see the fake PDF as described in the article. But I have received other probable virii as zip attachments where the attachment was corrupt, and as far as I know, nothing became infected. It’s possible that these zip files somehow take advantage of a vulnerability in certain zip programs. I use WinZip 15.0.

  5. Faro   |  April 08, 2012 at 6:18 pm

    I just got an email said my package is ready for pick up and I should print and take the receipt to pick up my package! and there was a zip file. I knew it was a virus from looks of it.

    I did not have a package coming for me and I know Fedex does not send out emails to me.

  6. Soinoi   |  April 21, 2012 at 7:31 pm

    i got this one yesterday, after hesitation and because I am expecting deliveries, I opened the email and its attachment, immidiately there were repeated screens to say that my computer was infected. My Trend antivirus was turned off and I could not open any files though I could see them or copy them.

    There was a new anitvirus scan window (can not remember its name) inviting me to take up the offer. Obviously I ignore it.

    I went to the ‘Add and remove Program’ in the control panel, found the offending program and clicked to remove it. BUT BEFORE I clicked to confirm its removal, my computer seemed to come back to normal.

    I re-installed my Trend program and ran a scan. The offending virus was not found.

    Question:
    Has I fixed the problem? If so, it’s odd that with all these funcy footwork, the offenders would just let you go easily. Or they are giving false sense of security but will strip me down somewhere down the track?

  7. Mark Berry   |  April 21, 2012 at 11:12 pm

    The first symptom you mention, fake anti-virus screens, are a common symptom of a real infection.

    Hard to say if it is really gone. I would run a scan using the free version of Malwarebytes (www.malwarebytes.org) in addition to Trend, and repeat both scans every day for a week to make sure you didn’t “catch” something that the real anti-virus programs haven’t learned yet to detect.

  8. soinoi   |  April 22, 2012 at 9:19 am

    Thanks heaps Mark, I’ll do just that plus any other trusted scan site comes my way.

Please use the lower comment form while we work out a formatting issue.





Leave a Reply

Your email address will not be published. Required fields are marked *

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.