The WORM component spreads through computer devices that are detected by infected systems and will automatically execute an autorun.inf file as soon as a user activates an infected device. In addition, the malware deploys a stealth technique by using a rootkit component to prevent itself from being discovered.

The main payload of this attack is an URL to establish a connection to a malicious website that may enable cyber-criminals to gather information and to further compromise an infected system.

If you have receive such an email, please delete the mail without opening the attachment. If you suspect your system is already infected or you have already open the attachment and not sure whether your system is infected, please contact us so that we can schedule our technician to check your system.

During my daily morning working ritual, that is, clearing emails, answering queries, replying to Twitters and checking out my Facebook account, all done with multiple windows on my 2 laptops and 3 screens using Synergy, an email from UPS suddenly caught my attention and all work was put on hold to check out this email. I’m usually a multi-tasker (who’s not), but in this case, nothing is more important than to read this email.

What’s The Story?

The reason why it gets my 100% attention is because we’ve recently help a customer to dismantle their server appliances from their Singapore office and ship them to their Belgium office, using UPS as our courier service. That job alone cost around S$4,900 for the shipping fees and the cargo itself is estimated to be around S$90,000. We almost make a loss for this job because another vendor who estimates the weight of the cargo for us miscalulated the total weight by a difference of over 90kg, meaning that the buffer charges we impose on the customer plus our profits have almost all gone down the drain, and if includes the manpower to do the migration, this definitely is a loss job. Any hiccups for this shipping is therefore not tolerated and that’s why my heart sinks and my mind froze when I read the first sentence from the email.

What’s In The Mailbox?

For your viewing pleasure, I’ve pasted the image of the email below:-

Computer Virus Masqueraded As UPS And DHL Delivery Failure

If you can’t see it, below is the exact mail from “UPS”:-
————————————————————–

Hello!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

————————————————————–

If you are in my shoe, will your heart pound fast and your brain starts to go berserk when you see this email?

Congrates if you don’t, you have a very steady heart

What’s The Give?

Thanks to my years of training as a I.T. professional, I’m able to recollect myself and start to think and work logically after the initial shock. The few things I noticed amissed are:-

1. The email was send to me via my delson(at)pacificlanworks.com account, which I immediately knows something was wrong because our UPS account is not linked to this email!
2. I’ve corresponded with UPS multiple times before and the format and structure of this email seems not to be the same as those I’ve received from UPS previously.
3. The tracking number seems to be shorter than usual for UPS, again, this is based on our frequent shipping experience with UPS itself.

With these 3 doubts that I have, I begin to suspect this is more of a rogue email rather than a legitimate one. I blew a breather and starts to relax myself a bit. At least right now I can “rest in peace” knowing that nothing was wrong with my recent shipping ;p

Don’t Do This At Home

It’s been a long while since I’ve gotten myself so exited, especially receiving any official email from anybody, I decided to kill my curiosity cat and open the attachment.

By doing so, I can learn more about this type of fraudulent email and secondly, to test my new version of AVG Internet Security software

I look for my AVG icon on my bottom-right taskbar and double-click to open it and make sure it is updated and running properly. This is especially important because what I am going to attempt to do will have a very avast result if my AVG Internet Security software is not running properly.

I double-click on the attachment (please be reminded again NOT to attempt this action if you are not prepared for any disastrous result and if your data are not backed up) and the zip file was opened to show an .exe file embedded in it. See image below:-

Rogue .exe File In Email Attachment From UPS

When I double-click on the .exe file, AVG kicks in and flagged it as a trojan and immediately blocked the access to the file and safely quarantined it away from me.

Well, this proves that my hunch was correct and that my AVG Internet Security software is working fine too.

I then delete this email from UPS and pops comes the next email from DHL, same format, same structure. See below:-

Fraudulent Email From DHL Regarding Shipping Failure

Even the attachment contains the same type of .exe file too, see below:-

Fraudulent Email Attachment From DHL Regarding Shipping Failure

Since I’m receiving these emails, I’ll presume that everybody will be receiving too, either sooner or later, but definitely will be, and therefore I’m writing this post to alert everybody about it. Please ensure that  your system is protected with an anti-virus software  and that it is updated to the latest version with the latest virus definition file.

Which AntiVirus Software I recommend?

For me, I’ll recommend AVG software (almost 95% of our customers are using AVG software and some has already renewed it twice since their first usage.)

Do note that AVG software comes with 2 years subscription and when my customer has renewed it twice, it means that they have been using it for more than 4 years already.

If  you are having a  little budget problem, feel free to download your free copy of AVG Anti-Virus Free Edition 9.0. There is absolutely no charge for this edition of AVG software but do note that this is just an antivirus software and do not have any firewall or antispyware to protect your system.

Alternatively, you can get FREE McAfee Internet Security software, which includes firewall and antispyware, with FREE 6 months of subscription just by becoming McAfee’s Official Facebook Fan.

Whichever you choose is not important, they are all great software, as long as you MUST choose one and get it installed in your system will do.

Good luck and have a great day.

McAfee, the wold’s leading dedicated security company, and Facebook announced an unprecedented collaboration in which McAfee will offer for FREE their flagship McAfee Internet Security to all of Facebook 350 million users, irregardless regardless of your country of origin and irregardless whether you are a previous McAfee customer or not.

The only disappointing news is that this FREE software is only for PC users and is not extended to Mac users (as if you need it … ;p )

The software will come with 6 months of FREE subscriptions to the McAfee Internet Security and you can decide to keep the software after that or hopefully wait for any other offers then.

Once you join McAfee as their fan in their Official Facebook Page for McAfee, you are entitled to their FREE software from their website.

Do note that you will need to submit your credit card details in order to get your FREE copy of the software, and they will not charge you until 6 months later, which you MUST remember to cancel it if you decide not to continue with using McAfee Internet Security.

If you decide to continue with the software, do nothing and they’ll automatically credit the software cost from you then. No such thing as totally free lunch

Head on over to McAfee’s Official Facebook Page and claim your FREE copy now!!!

Free McAfee Internet Security Software For All Facebook Users

He was very sure that it is a stolen identity hacking activity and he claims that he knows when it happened, which he believes is during the time when he was in Malaysia for a business meeting and should be during the time when he was using a public computer in a cyber cafe in Kuala Lumpur. He was very certain it is during there and then when it happened.

I asked him how he knows about the “stolen identity” incident and he starts to shed more light into it. In the end, I discovered that his so-called “stolen identity” incident was nothing more than his business associates and friends receiving mails from him recommending them to buy “some enlargement device” or “prolonging pills” and such, basically, he was just another spam victim being masquerated as the originator. That’s all!!

I explained to him that someone from somewhere had managed to get a hold of his email address and using their email system to send out spam mails, but using random email addresses as the original sender, and in this case, his email address, to send out thousand of spam mails. Some of which belongs to his associates and friends.

To be on the safe side, however, I did a thorough check on his system looking for worms, viruses, spywares and any other rootkit malware or such, and his system is cleaned, very clean in fact, as we just did our maintenance for his system just 3 weeks ago!

After much tracing, we begin to suspect that these mails originate from one of his business partner. I made a quick call to the other party and asked them to check for some virus signature and voila, it is their computer that is infected and even during our teleconversation, the computer there was busy sending out more mails and generate lots more traffic.

I advised them to shut that system down and offered to check it for them later, chargeable of course, and yup, managed to clinch another deal the next day and probably will have our maintenance agreement signed too No good gestures goes unrewarded …

As for my panic-stricken customer, I do applaud him for calling us to check his system immediately but was quite puzzled as to why he use a public computer and not his personal laptop when he was in Kuala Lumpur. He claims that he thought of going shopping after his meeting so did not bring his laptop, and to him, it is more of a personal time out until his secretary in Singapore asked him to check something urgently, which he then has no choice but to use the public computer.

Don’t get me wrong, it is perfectly alright to use public computers to do your stuffs or surf the web, but there are some steps you’ll need to take to protect yourselves against any potential problem in the future.

I’ve outlined them below for your reading pleasure and hopefully you’ll remember to do it when you are using any public computer at any cyber cafe in any country, including Malaysia

1. Pay attention to your surroundings and use common sense
   • Beware of strangers around you, there might be potential shoulder surfers within your vicinity and always remember that a public computer is open to anyone.
   • Don’t view any sensitive documents from these computers
   • Look around and make sure no security camera are looking over your shoulder
   • Cover your hands when entering any login information, much like when you are using ATM (Auto-Teller Machines)
2. Don’t do online banking and online shopping
   • Even when you are using a bank’s triple secure login, it is still not advisable to use a public computer for your banking transactions, no matter what.
   • When you shop online using a public computer, you’ll inevitably need to key in your credit card details or Paypal login information, which will then expose yourselves to unnecessary financial crimes. Therefore, it is not advisable to shop online using a public computer. If you really need to, you may consider shopping at ShopBug.com, as we offer Cash-On-Delivery (COD) services, which means that you don’t need to key in any financial details and that means that you are somewhat less vulnerable. However, truth be told, if you are out of your home and in a cyber cafe, just get out of there and do some real shopping with your feet rather than a few mouse clicks
3. Don’t divulge your credit card details
   • As mentioned above, unless you want to be another statistics in the latest financial crime, don’t ever attempt to give your credit card details in any of these public computers
4. Don’t save passwords
   • I think it’s a very common sense to know that you should never save your password in any public computer, and if you are not aware of this also, I’ll really advice you to take part in some computer courses and know more about computing before you made any regrettable mistakes in the future.
   • As for your own personal computer or laptop which you believe to be secured, I’ll also adviced you NOT to save your passwords at all. It is such a primitive security but it does help to weed out casual trouble-makers, but if you let your systems remember your passwords, you might be in for a surprise when things really cropped out.
   • To make sure passwords are not saved in Internet Explorer 7, go to Tools | Internet Options | Content. In the AutoComplete panel, click the Settings button and verify that the Prompt Me To Save Passwords check box is deselected. None of the other AutoComplete features needs to be enabled either, so deselect them as well.
   • In Firefox, choose Tools | Options | Security and deselect Remember Passwords For Sites.
5. Don’t save files locally
   • By saving files locally on a public computer, you risk forgetting to remove it when you are done, and even if you do, traces of the file will still be lugging somewhere waiting for someone to retrieve it.
   • Use a flash drive instead to save your files and probably attach the flash drive to your key ring so you’ll be less likely to misplace it and create a new security problem.
6. Delete your Browsing History
   • When you’ve finished browsing, it’s a good idea to delete your cookies, form data, history, and temporary Internet files.
   • In Internet Explorer 7, you can do this all at once under Tools | Delete Browsing History. In older versions of IE, each of these must be deleted separately, under Tools | Internet Options.
   • In Mozilla Firefox, go to Tools | Options, click the Privacy tab, and select Always Clear My Private Data When I Close Firefox. By default, this erases your browsing history, download history, saved form information, cache, and authenticated sessions. Click the Settings button and select the options to erase your cookies and saved passwords, too.
7. Delete temporary files
   • If you use a public computer to surf the web only, step 6 above will help and this step may not be necessary for you. However, if you use Microsoft Office or any other applications on the public computer, then this step is very important to you.
   • Temporary files (often abbreviated to “temp files”), as opposed to temporary Internet files, are created when you use programs other than a Web browser. For instance, when you create a Word document, in addition to the actual document file you save, Word creates a temporary file to store information so memory can be freed for other purposes and to prevent data loss in the file-saving process. These files are usually supposed to be deleted automatically when the program is closed or during a system reboot, but unfortunately they often aren’t.
   • To find these files, do a search on all local drives (including subfolders, hidden, and system files) for *.tmp,*.chk,~*.*
     This will bring up all files beginning with a tilde or with the extensions .tmp and .chk, which are the most common temp files. Once the search is complete, highlight all and Shift + Delete to remove them. (If you don’t hold down Shift, they’ll usually be sent to the Recycle Bin, which you would then have to empty.)
   • If you did not clear these files, somebody else will be able to open the temporary files and recover your full content from it!
8. Clear the pagefile
   • The pagefile is the location on the hard disk that serves as virtual memory in Windows. Its purpose is to swap out data from RAM so that programs can operate as if they have more RAM available than you actually have installed in the computer. Anything that can be stored in memory could also be stored in the pagefile.
   • To delete the pagefile, change the settings in Windows Explorer. Click View | Folder Options and the View tab, then scroll down and click Show Hidden Files And Folders. Deselect the Hide Protected Operating System Files check box. Now, find the file named pagefile.sys. It is usually (but not always) on the C: drive. Delete it; a new one will be created when the system reboots.
9. Reboot
   • When you’re finished using the public computer, the final thing you should do is a hard reboot. This will not only clear the pagefile, if you’ve enabled that option, but it will also clear out everything you did from the physical memory (RAM).
10. Boot from another device
    • This is a fairly advanced option, and one that is often overlooked. If you boot from either your own USB drive or from a CD, many of the problems mentioned above can be avoided. Today, many Linux distributions have the option of running completely in memory after booting from a CD.
    • If a public computer has had its BIOS options left at default (which happens more often than you would think), this could be an option. If you are able to do this and remember not to save any other files to the local hard drive, everything will be gone when you reboot.

Do remember that there is nothing you can do to make a public computer completely secure. A truly malicious owner or user could install a hardware keystroke logger that would be impossible to detect without actually opening the case and inspecting it. With that less-than-comforting thought, use common sense and use public computers only for nonsensitive tasks.

The email should like something like this:

The fake alert informs recipients that as part of a “State Vaccination H1N1 Program” they need to create a profile on the CDC Web site. The link in the e-mail goes to a fake CDC page where the visitor is assigned a temporary ID and a link to a vaccination profile that is actually an an executable file containing a copy of the Kryptik Trojan targeting Windows, according to an AppRiver blog post on Tuesday.

The link was embedded on the webpage and looks like this:-

Once installed, “this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization,” the post warns. “It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker.

According to AppRiver, the fake CDC email was dispatched at a rate of nearly 18,000 messages per minute, approximately 1 million in the first hour alone.

the fake CDC email was dispatched at a rate of nearly 18,000 messages per minute, approximately 1 million in the first hour alone.

The worst part of it is, according to Symantec, the landing page that the link led to contained a hidden iFrame that pointed to a site hosted in Ukraine. The iFrame checks to see if the system is running an unpatched version of Adobe Reader, Acrobat or Flash Player and if so it uses an exploit to download a file to the system.

Do be aware that these sort of phishing sites and emails are on the rise and there’ s no way for you to know them all, and usually by the time you know it, you’ll be another statistic in the number of victims. I recommend that if you do not have a proper firewall or antivirus software install right now, please get one immediately.

We have been selling AVG Internet Security and Antivirus software all this while and so far, lots of my customers just love it for its low cost, low maintenance and also low resource hogging. Get your AVG Internet Security now.

For your corporate use, please feel free to contact us.