Rent Video Games Online with GameFly.com!

That package that just arrived is a virus

The evil people who create viruses will stop at nothing to trick you. Take this email that I received today:

Dear client
Your package has arrived.
The tracking# is : 1Z45AR990283682749 and can be used at :
http://www.ups.com/tracking/tracking.html
The shipping invoice can be downloaded from :
http://www.ups.com/tracking/invoices/download.aspx?invoice_id=3483273

Thank you,
United Parcel Service
*** This is an automatically generated email, please do not reply ***

What to look for

Let's look at the warning signals that tell you this email is up to no good:

  • I wasn't expecting any package and there was no actual package delivered to my house.

  • The email was sent to my Spam folder (well done Google).

  • When I float my mouse over the second link, the true underlying link (which I have disabled above) shows up with a completely different web site (not UPS). Worse yet, the web address ends in ".scr" which means a malicious script will run when you click the link.

Remember, when you click on a link, the actual text on your screen has nothing to do with the actual link you will be taken to. If you don't believe me, try the link below. Looks like it will go to noobie.com, right? Go on, give it a try. It's perfectly safe—I promise.

http://www.noobie.com

Just remember, if you doubt the validity of the email, go to the source yourself and NEVER click a link or call a phone number in the email. In the case of this email, the best plan is to probably pick up the phone and call UPS. If they have no idea what you are talking about at least you can report the email to them as fraudulent use of their trademarked name.

11 comments for this blog post so far...

  • #1
    December 07, 2010 at 10:02 am

    asudduth

    Do get a little technical, “SCR” files (in Windows) are typically screen saver files.  I just wanted to point out SCR files, by definition, aren’t malicious… however you’re probably never going to have an email with a link to an SCR, so in instances like this (links from emails/webpages) they are—but if you happen to find a collection of them at c:\windows\system32 you don’t need to be concerned most likely

  • #2
    December 07, 2010 at 2:08 pm

    Patric Welch

    @asudduth - Great follow-up! I was so consumed by the “script\” version of .scr files I forgot they can also be screen savers. But, as we both said, in neither case would I ever click a link in an email with an attached .scr file.

  • #3
    December 07, 2010 at 11:03 pm

    Scott Luck

    great read...thanks for taking the time to unpack that one.  I have never seen that trick before.

  • #4
    December 09, 2010 at 3:54 am

    Bug Marley

    I got the same email today.  I was expecting a package so I thought it was authentic as Gmail said it came from .  I checked the tracking code but it was giving me errors so I tried the invoice link, downloaded the .scr file which was saved as a screensaver.  Then when I tried to run it, my firewall acted up so I had to do a system restore.

    I’m still worried though. Is my PC compromised now?

  • #5
    December 09, 2010 at 9:04 am

    Patric Welch

    Bug - If you did a system restore back to the point before you downloaded the .scr file you should be ok. If you want to be extra sure, download the free version of Malwarebytes at http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1 and run a full scan on your computer.

  • #6
    December 09, 2010 at 9:10 am

    Bug Marley

    Thanks Patric.  I already scanned the machine using Avira’s AntiVir and it caught a Java virus thingy.  I’m not sure if it’s related though.  Downloading Malwarebytes now just to double check.

  • #7
    December 09, 2010 at 9:22 am

    asudduth

    @Bug - my two cents on this is, that Patric is probably right.  The (scr) FILE you downloaded may still be present on your system, however you’re probably not infected (unless you’d double click on this file)—I can’t say this with 100% certainly as you never know how things things work, but its most likely the case.  MBAM (Malwarebytes) is a good tool to follow up with.

  • #8
    December 09, 2010 at 3:11 pm

    holdsworth

    Some googling and I came up with the owner of the domain where the malicious e-mail originated. Not sure what this buys us but it’s interesting.

    domain:  uvegesgyorsszolgalat.hu
    registrant:  Private person
    registrant:  Rab Károly Tamás
    hun-id:  1000974250
    admin-c:  2001504615
    tech-c:  3000101374
    zone-c:  3000101374
    name server:  dns1.ezit.hu
    name server:  dns2.ezit.hu
    registered:  2007-08-30 23:18:30
    changed:  2010-07-06 12:54:15
    registrar:  1000858171

    admin-c:  Rab Károly Tamás
    address:  Dózsa György út 34.
    address:  5061 Tiszasoly
    address:  HU
    phone:  30/690-6078
    fax-no: 
    hun-id:  2001504615

    tech-c:  EzIT Domain Admin
    address:  Pf. 17.
    address:  1506 Budapest
    address:  HU
    phone:  06-1/209-0839
    fax-no: 
    e-mail: 
    hun-id:  3000101374

    zone-c:  EzIT Domain Admin
    address:  Pf. 17.
    address:  1506 Budapest
    address:  HU
    phone:  06-1/209-0839
    fax-no: 
    hun-id:  3000101374

    registrar:  0-24 Domain Regisztrátor Kft.
    registrar:  0-24 Domain Regisztrátor Kft. (Registrar)
    address:  Rákócz tér 20.
    address:  8360 Keszthely
    address:  HU
    phone:  +36 70 2209988, + 36 30 5987210
    fax-no: 
    hun-id:  1000858171

  • #9
    April 04, 2011 at 5:50 pm

    Andrew

    I got the same text but with a hidden link to exe file, not scr. Just for the info.

  • #10
    April 05, 2011 at 3:13 am

    Andy Bryant

    Just got the same - with a link to an exe hosted on liansamreality investment rather than the scr file.

    Best thing to do when you get an email of this nature is to go directly to the company’s website by typing the address yourself into the browser; not clicking on a URL - and then paste in the tracking code.  That way you avoid any nasty surprises, and can determine if the package is yours or not.

    Google also does auto-recognition of UPS, and other tracking codes - so you can also just google the tracking code - and it will provide you the appropriate (good) link to the UPS tracking service.

    Andy.

  • #11
    April 09, 2011 at 11:13 pm

    dweb

    I got one of these and was suspicious because I hadn’t ordered anything to be shipped recently.

    Rather than click the links in the message, I copied the tracking number and that into Google.

    It turned up a string of tracking notes for something shipped last year from Florida and then returned and I knew immediately the whole thing was bogus.

Add A Comment

Notify me by e-mail of follow-up comments?


Patric Welch

Need help leaving a comment?

Just fill out your name, email address (for our eyes only) and web site address (if you have one, this is optional) above. Next, type your comment in the comment box. Feel free to use the Enter key to leave spaces between paragraphs.

The last step before submitting your comment is to enter the CAPTCHA word. This is the funny little series of letters and numbers you see below the comment field that helps prevent comment spam and ensures your comment can be seen on the web site immediately after you submit it.

The last step is to click the "Submit Your Comment" button. Thank you for commenting.