1

Bredolab UPS_Invoice Blast

Over the past 16 hours, we’ve seen a sharp spike in the number of UPS_Invoice themed malware being run and prevented on systems. We’ve seen this invoice scheme many times before, but to many computer users, the scam still is not familiar. The files often are delivered as .zip attachments, containing a malicious Bredolab downloader or Zbot password stealer. Again, this is the extracted file’s appearance, after it is unzipped and file extensions are not visible (a folder option). Compare it with the screenshot below. the difference is not obvious, unfortunately:

UPS_Invoice_no_extensions

 

 And here is a screenshot with the extensions visible:

UPS_Invoice

Some of the names being used and designed to fool users include…

UPS_INVOICE_NR81913.ZIP
UPS_INVOICE_NR81913.EXE
UPS_invoice_NR43193.zip
UPS_INVOICE_NR43193.EXE
UPS_invoice_NR12090.zip
UPS_INVOICE_NR12090.EXE
UPS_invoice_NR74225.zip
UPS_INVOICE_NR74225.EXE
UPS_INVOICE_NR10124.ZIP
UPS_INVOICE_NR10124.EXE
UPS_INVOICE_NR85411.ZIP
UPS_INVOICE_NR85411.EXE
UPS_INVOICE_NR76225.ZIP
UPS_INVOICE_NR76225.EXE

Be sure to examine the contents of .zip files prior to attempting to open them. We will update this post as more information is available.

This entry was posted in Spam. Bookmark the permalink.

One Response to Bredolab UPS_Invoice Blast

  1. Van Wiskur says:

    The trojan bredolab arrived on my computer on 1-20-10 with a file named: UPS_INVOICE_NR9745.exe

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>