Bad Behavior

Have you made any recent purchases to be delivered by the postal service? Since the holiday season – a time of increased spending – has just passed by, chances are good that you have. There’s a common spam ploy that may try to catch you off guard in order to infect your system with malware: package delivery scams.

Understanding the Threat
During the period surrounding the holidays, cyber criminals up their tactics, hoping to take advantage of more victims during this time of increased online shopping and web browsing.  Even though the holidays are now behind us, it doesn’t mean you can let your guard down – especially if you’re planning to use your holiday gift money or gift cards to score a deal at your favorite online stores.

One type of e-mail message to be on the lookout for is mail that attempts to mimic a message from popular package delivery companies, like the United Postal Service, in order to con the victim into opening a malicious attachment. In the message, the sender will claim that you need to open an attached receipt or invoice.

For example, the subject and text may appear similar to the message, below:

Subject: [NO-REPLY] UPS Tracking Number 21263130

Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

However, the attachment is nothing of the sort – it’s actually malware.

The Bad Behavior
The criminals behind these scams use a few different tactics to feign legitimacy, and to get you to open the attached malicious file. The message appears to come from 'United Postal Service' or 'Post Office', and the subject of the message usually quotes a bogus tracking number. The message contains a zipped file that purports to be an invoice document from the postal service, and invites the recipient to open the attached document and print it out.

When you unzip the attached file, it unpacks the file “UPS_letter.doc.exe”, or something similar. This malware uses a very simple, yet effective, technique to look like a legitimate file. It masquerades as a Word document by using two tricks: a ‘Word’ icon is used and the file has, or appears to have, the extension for Word documents, '.doc'.

“For all intents and purposes, the file looks like a regular Word document – the unsuspecting victim will double-click on the file. This is when the malware actually runs. These files have been typically categorized as “Win32.Worm.Autorun” by Lavasoft researchers,” says Lavasoft malware analyst and Research Team Leader, Andrew Browne.

The file itself is not really a Word document, but a Windows executable file, or program. The malware author is banking on the fact that the user's operating system is configured to hide extensions for known file types. This means that file types (like .exe, .pdf, .doc and so on) are not shown at the end of the file name. In this case, the file type is '.exe' which is a 'known file type'. That means '.exe' is not shown at the end of the file name and the victim will see the filename 'UPS_letter.doc'.

Winning Strategies
If you have unchecked 'Hide extensions for known file types', the '.exe' part will become visible, proving that the file is not really a Word document, but a Windows executable file.

So, what’s one way to gain the upper hand over these types of scams? Configure Windows to show known file extensions by following the steps, below.

1. Open Windows Explorer
2. Click on the 'Tools' menu item
3. Click on 'Folder Options' item
4. Click on 'View'
5. Uncheck 'Hide extensions for known file types'


Learn More Buy Now

Send US Your Stories
By The Numbers
2.9 billion U.S. dollars were lost by households in the past two years due to damage caused by virus infections.

Source: Consumer Reports, State of the Net 2008
Tips & Tactics
Good news for Ad-Aware users: incremental threat updates are now available. Read more about how the download time for updates is now significantly reduced!
What People Are Saying
“[Ad-Aware] provides solid and reliable protection with great flexibility available to the user…combining leading detection technologies from the anti-spyware and traditional anti-virus worlds.”

John Hawes, Virus Bulletin Review
Forward to a Friend
Pass on the news, tips and offers in this issue – e-mail Lavasoft News to a friend.

Lavasoft AB Odinsgatan 10, 411 03 Gothenburg, Sweden | www.lavasoft.com | editor@lavasoft.com