Update 24/07/2008 - Nod32 Now Identifies this - See bottom of post.

—

Several clients were targeted with e-mails that contained .zip files.

The contents of which were crafted to look like legitimate e-mails from UPS with invoices attached (see above).

Inside the .zip file was an executable file disguised as a Microsoft Word document (see above). That is a fake icon. The file is really called ups_invoice.exe

You can even scan the .exe file with Anti-Virus software in my case the latest Business Edition of Nod32 and it will not be detected.

I even submitted the .exe file to eset and they said:-

“The file is corrupt and thus non-functional. As such, it should not be detected as it does not pose any risk” [TRACK#4884AA4D0007]

That is a complete load of rubbish, I took the same file and managed to infect my test bed XP machine running the latest version of Nod32.

So you really are at the mercy of the end user doing the right thing and not opening unsolicited attachments.

It would appear to be able to defeat the End Users Anti-Virus by connecting to the Internet to download the payload and sneaking itself onto your computer. The end user is complicit in this, they have to run the infected file. As you can see from the shots above this has been cleverly engineered to be difficult to spot.

With up to date Anti-Virus software not being able to detect the original .exe file it really is open season.

Tech Tip: If you are worried users might get caught out then ban .zip files if you can.

More details here: http://pandalabs.pandasecurity.com/archive/Fake-UPS-Invoice-Email.aspx

Updated 24/07/2008

I just get the impression the AV companies were caught napping on this one.

But the good news is those pesky attachments are now being identified.