This could not be a virus, right?

[MotionMan]

Here is a new twist. I received the following e-mail:

Hello!

We were not able to deliver postal package you sent on the 14th of March in time
because the recipient?s address is not correct.
Please print out the invoice copy attached and collect the package at our office.

Your personal manager: Deirdre Hand,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.

Attached is a file named "DHL_DOC.zip"

The e-mail came from "Deirdre Hand" at hicksdd@[b]varnalife.com[/b]

Other than the fact that I did not ship anything on March 14th and never use DHL, it seems legit to me!

MotionMan

 

[Pheran]

It's a virus - this crap is everywhere.

http://www.sophos.com/blogs/gc/g/2009/03/23/dhl/

 

[Unheard]

It's just a scan of the invoice.








I promise.

 

[Gamingphreek]

It could be a virus. The .zip might not actually be a .zip. If you have a Linux partition or LiveCD, boot up into it and extract it there. Look around at the files and see what comes out. In Windows, if you are concerned, scan it with antivirus software before you open it.

Also, you can look at the message headers and see if the E-Mail does, in fact, come from DHL.

Finally, given that you don't use DHL and didn't ship anything - it sounds like it is probably bogus. Unless you know what you are doing, don't do the stuff above.

-Kevin

 

[jlee]

I got something like that "from" UPS or Fedex not too long ago..can't remember if it was a zip or exe.

 

[Chronoshock]

My spam folders get hundreds of "you missed your shipment" emails every month. I'm surprised you've never seen this before

 

[Iron Woode]

Originally posted by: Gamingphreek
It could be a virus. The .zip might not actually be a .zip. If you have a Linux partition or LiveCD, boot up into it and extract it there. Look around at the files and see what comes out. In Windows, if you are concerned, scan it with antivirus software before you open it.

Also, you can look at the message headers and see if the E-Mail does, in fact, come from DHL.

Finally, given that you don't use DHL and didn't ship anything - it sounds like it is probably bogus. Unless you know what you are doing, don't do the stuff above.

-Kevin

or just use sandboxie, in which you can open a zip or run an app that is isolated from the OS.

 

[bsobel]

Wrong forum

 

[randay]

lol i got a few of these as well. man some people just never learn.

 

[santuitman]

They have a warning right on their telephone line. I happened to be calling about something else and the first thing you hear is something about boug email messages

 

[MotionMan]

Originally posted by: Chronoshock
My spam folders get hundreds of "you missed your shipment" emails every month. I'm surprised you've never seen this before

Maybe my server-side spam scanner has caught them all before now (My e-mail runs through my bro-in-laws server). This is the first one I've seen like this.

MotionMan

 

[MotionMan]

I just received the following e-mail from Michal Ambroz (DHL CZ)():

Hello MotionMan,
Please I have found your message in the forum of
http://forums.anandtech.com/me...id=38&threadid=2288328

Please would you happen to be still in possession of this email with a
original DHL_DOC.zip?
I am trying to track activities of these attackers and I am still
missing this
sample.

If you have the original email, please could sent it to me via email?
Please zip it with password to avoid that some antivirus on the way will
delete it ?

Thank you

Michal Ambroz
IT Security Consultant

Information Security Management
Production Services Prague
DHL Information Services (Europe) s.r.o.
IT Services Center
V Parku 2308/10
148 00 Praha 4 - Chodov
Czech Republic

Phone:
Mobile:
http://www.dhl.com
mailto:

However, I deleted the e-mail, so I do not have the file to send him.

MotionMan

7/21/11 EDIT: Edited Mr. Ambroz e-mail address at his request.

MotionMan

 

[Dualist]

Try scanning it with an antivirus or antispyware software before extracting it, or vice versa. It should tell you rather or not it's a virus, spyware or adware.

 

[Chronoshock]

My yahoo mail spam folder was cleared recently, and my gmail only has two fake shipment emails, one is a standard 401 scam and the other has a link to a spam site, neither have attachments. It's interesting you were contacted

 

[wiredspider]

They use .zip because some scanners do not look in "compressed" files.

 

[CZroe]

MotionMan: Even if you had never seen it before nor heard of it, there should be NO reason to make a post like this because the answer to your question is right in front of you, Google NOT required.

Stop being a pussy. You know a zip file isn't executable, right? Just open with an alternative decompression app to avoid the possibility of a buffer overflow in XP compressed folder support. Only worry about document data files if it is a format that can contain macros (in that case, open it in WORDPAD). If it's a PDF, well, then I don't know of any executable PDF files or Adobe Acrobat buffer overflow exploits so it would be safe to say that it's not a virus. If it's an executable or some kind of script, then DON'T OPEN IT. DHL has no reason to send you executable files or scripts and it would be entirely unprofessional to do so

Originally posted by: wiredspider
They use .zip because some scanners do not look in "compressed" files.

It still doesn't explain why a user would willy-nilly run executable files inside... oh yeah! Because Microsoft not only fails to educate users as to the difference, but they actively HIDE this information. Way to go EMM ESS!

 

[MotionMan]

Originally posted by: CZroe
MotionMan: Even if you had never seen it before nor heard of it, there should be NO reason to make a post like this because the answer to your question is right in front of you, Google NOT required.

Stop being a pussy. You know a zip file isn't executable, right? Just open with an alternative decompression app to avoid the possibility of a buffer overflow in XP compressed folder support. Only worry about document data files if it is a format that can contain macros (in that case, open it in WORDPAD). If it's a PDF, well, then I don't know of any executable PDF files or Adobe Acrobat buffer overflow exploits so it would be safe to say that it's not a virus. If it's an executable or some kind of script, then DON'T OPEN IT. DHL has no reason to send you executable files or scripts and it would be entirely unprofessional to do so

Originally posted by: wiredspider
They use .zip because some scanners do not look in "compressed" files.

It still doesn't explain why a user would willy-nilly run executable files inside... oh yeah! Because Microsoft not only fails to educate users as to the difference, but they actively HIDE this information. Way to go EMM ESS!

I am going to assume that you are not an incredible dick and, instead, I will assume that you simply missed the sarcasm/humor aspect of the OP.

But, thanks for playing anyway.

MotionMan

 

[DisgruntledVirus]

SURPRIZE!!!!!

IM IN UR EMAILZ INFECTING UR TUBES!!!!!

 

[Twista]

DHL= laughs in the usa

 

[ObiDon]

dude, open the .zip and get your package back!

 

[MotionMan]

Originally posted by: ObiDon
dude, open the .zip and get your package back!

I got my package right here...

MotionMan

 

[CZroe]

Originally posted by: MotionMan

Originally posted by: CZroe
MotionMan: Even if you had never seen it before nor heard of it, there should be NO reason to make a post like this because the answer to your question is right in front of you, Google NOT required.

Stop being a pussy. You know a zip file isn't executable, right? Just open with an alternative decompression app to avoid the possibility of a buffer overflow in XP compressed folder support. Only worry about document data files if it is a format that can contain macros (in that case, open it in WORDPAD). If it's a PDF, well, then I don't know of any executable PDF files or Adobe Acrobat buffer overflow exploits so it would be safe to say that it's not a virus. If it's an executable or some kind of script, then DON'T OPEN IT. DHL has no reason to send you executable files or scripts and it would be entirely unprofessional to do so

Originally posted by: wiredspider
They use .zip because some scanners do not look in "compressed" files.

It still doesn't explain why a user would willy-nilly run executable files inside... oh yeah! Because Microsoft not only fails to educate users as to the difference, but they actively HIDE this information. Way to go EMM ESS!

I am going to assume that you are not an incredible dick and, instead, I will assume that you simply missed the sarcasm/humor aspect of the OP.

But, thanks for playing anyway.

MotionMan

I just needed a place to discuss my disappointment with Microsoft's policies and defaults. Looks like it made the news since yesterday.

http://www.dailytech.com/article.aspx?newsid=15061

Of course, I already commented.

 

[randay]

Originally posted by: MotionMan
I just received the following e-mail from Michal Ambroz (DHL CZ)():

Hello MotionMan,
Please I have found your message in the forum of
http://forums.anandtech.com/me...id=38&threadid=2288328

Please would you happen to be still in possession of this email with a
original DHL_DOC.zip?
I am trying to track activities of these attackers and I am still
missing this
sample.

If you have the original email, please could sent it to me via email?
Please zip it with password to avoid that some antivirus on the way will
delete it ?

Thank you

Michal Ambroz
IT Security Consultant

Information Security Management
Production Services Prague
DHL Information Services (Europe) s.r.o.
IT Services Center
V Parku 2308/10
148 00 Praha 4 - Chodov
Czech Republic

Phone:
Mobile:
http://www.dhl.com

However, I deleted the e-mail, so I do not have the file to send him.

MotionMan

thats pretty funny. hope this guy realizes how worms work and palmface himself.

 

[MotionMan]

7/21/11 Necro update:

Just got this e-mail:

Dear MotionMan,
please do you still have got access to the forum here?
http://forums.anandtech.com/showpost.php?p=27895967&postcount=12

I would like to kindly ask you, whether you could edit this post and
remove my email address and phone from it.

I understand that at the time of this virus campaign it could have been
useful for the followers
of the forum to have the direct contact to me there.
Now after 2 years I am just receiving spam because of that post.

Thank you for understanding.

Best regards

Michal Ambroz
IT Security Consultant, gsm: , tel: (Prague)

I have edited the post.

MotionMan

 

[ElFenix]

i think spam bots are probably smart enough to parse username at domain dot com. i'm going to delete the whole thing. i can put it back later if need be. also deleting from the quoted post. deleted phone numbers too (thanks seepy!).