The latest outbreak of virus-laden spam purports to be a message from UPS about an undeliverable package. The attachment is a ZIP file with an executable program inside that does something evil – blows up a cruise boat or something.

danger These messages appear and morph and tomorrow this might be a message from FedEx or the IRS or anything else. Your first defense is your common sense: never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.


Many of my clients use Exchange Defender to filter out spam and viruses from incoming mail. Here’s the update on ED’s struggle with this new outbreak.

“It has been quite an evening at ExchangeDefender as we continue to fight the outbreak of the UPS trojan. You may have seen this:

Subject: UPS Tracking Number 6431834482

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS

“What is interesting about this is that the message does look fraudulent to the casual observers and people that do domestic business with UPS. However, we have encountered this format (with attachments and all) being used by UPS Commercial shipping departments in the past, which is why messages with the specific patterns received lower SPAM scores and were allowed through.

“We still stripped the attachments but the attachments inside the ZIP file are passing through AV scanners as the variants change. We are now up to over thirty definitions used to track this specific worm and have taken the following steps:

UPS messages are only processed if they come from UPS.

UPS Tracking numbers are only accepted as valid if they start with 1Z.

UPS messages instigate a callback function against UPS servers.

“Dealing with these extended rulesets and checks has made mail move a little slower today as we’ve dealt with onslaught of messages while this worm becomes more prevalent. UPS is also issuing a warning on their behalf:


“We currently have this issue under control and it should not pose any further problems. However, expect the UPS messages to be taken with higher scrutiny and always warn users not to open executable attachments.”

Share This