by RSS Tiejun Wang  |  Jan 28, 2009  |  Filed in: Security Research

If you have received an email that appears to be from UPS, please be careful. Do not rashly open the attachment of the email. Some spammers are disguising themselves as UPS to spread malware.

Here’s a screenshot of the sample email:


The attachment of this email is shown as a compression archive. It actually contains a malware which looks like a Microsoft Word or Excel file. If your system is set to hide the known file extension names, you can be easily cheated. The malware samples that we have collected have the names like: UPS_letter.doc.exe, UPSInvoice77179.exe and UPSInvoice_019002.exe. If you execute these malware, a banking Trojan will infect your system.

This type of spam appeared in mid-October last year and the number of it is still increasing recently. Based on our statistics, it has reached 6.84 percent of the total spam volume. According to our analysis, most of these spams originate from USA, the UK and Canada.

In order to evade antispam detection, variants of this spam have appeared. Not only "UPS”, but also "UMS” has been used to disguise it by spammers. For example, the “UMS” spams are about a contract (lease contract, opening an account, etc.). The attachment is usually called something like "" which contains a malware variant.

The Fortinet antispam team has been keeping close watch on this type of spam.

by RSS Tiejun Wang  |  Jan 28, 2009  |  Filed in: Security Research