Security Advisory: Fake DHL Emails Distribute New Trojan
A potential threat to email users in the form of a new spam campaign that masquerades as a shipping notification from DHL. Currently, none of the major anti-virus providers are capable of catching and quarantining this message. As such, this scam has the potential to be successful and can have serious consequences. We have manually updated our virus definitions to stop future incoming messages and are working with our providers to ensure protection against this virus.
We recommend that you take the following action: • Notify all your email users about this threat • Caution your users not to open any attachments from DHL or any unknown sender • Be aware that this is a rapidly-changing virus. Even if your anti-virus provider lists it as covered, you may still be at risk.
More information about this threat: The messages have their “From” field spoofed to appear as originating from an DHL email address. The subject is “DHL Tracking Number ########” (where # stands for a random letter or digit) and unlike most spam, the content of these emails is relatively well-spelled. The message, signed by DHL Delivery Services, reads: “Hello! The courier company was not able to deliver your parcel by your address. You may pickup the parcel at our post office personally. The shipping label is attached to this email. Please print this label to get this package at our post office. The attached archives are called DHL_INVOICE23.zip and contain a trojan installer. “The file in the ZIP archive uses a double file extension in the form of DHL_INVOICE_23.xls______________<plenty of underscores>______.exe,” the Avira researchers explain. This naming scheme as well as the file Excel document icon, have the purpose of deceiving the users into believing that they are actually opening a document. The series of underscores pushes the .exe extension out of the view when the archive file is opened in an unpacking program. At the same time the .exe part will not be visible in Windows Explorer either, since file extensions are hidden by default.