Been sent an email with a .exe attachment

[amnesia]

I have received an email from ups.com which I suspect is not actually from UPS.

The email reads :

Hello!



Unfortunately we failed to deliver the postal package youhave sent on the 15th of August in time because the recipient’s address iserroneous.

Postal Code parcel:"XXXXXXXXXXXX"



Please print out the invoice copy attached and collectthe package at our office.



UPS Express Services.

I have never used UPS for anything.

It is in plain text, with no logos embedded, and the attached file is a .zip with an executable called YOUR_INVOICE_COPY.exe in it. I have renamed it to .txt and opened it with UltraEdit but it's mostly gibberish. I can make out some registry entries in it and some reference to dynamic link libraries in it so I suspect it's dodgy.




Is there anything I can do (other than run the .exe) to find out what it does ?

Should I report it to UPS that someone is spoofing their email address ?




Any suggestions ?

 

[Piemaster]

Leave well alone. Bin it or if you are feeling public spirited forward it to UPS (if they have an address on their web site for that sort of thing).
Couriers I have dealt with (not sure if any have been ups, but certainly DPD) will just give you a tracking number to enter into their website. Stay clear of any links.

 

[amnesia]

Leave well alone. Bin it or if you are feeling public spirited forward it to UPS (if they have an address on their web site for that sort of thing).
Couriers I have dealt with (not sure if any have been ups, but certainly DPD) will just give you a tracking number to enter into their website. Stay clear of any links.

I know it's dodgy, but out of curiosity I want to find out what it would do if I were stupid enough to open it. I guess I could run it on an old stand alone machine with no internet connection... it must send some data somewhere, or email it. If I can find out where then the fun begins

 

[ianrauk]

it will no doubt be a Trojan of some sort. I would leave well alone and delete if I were you.

 

[amnesia]

Where's your sense of adventure ?

It is perfectly safe where it is... I just want to know how to reverse engineer the code so that I can have some fun

 

[2Loose]

Where's your sense of adventure ?

It is perfectly safe where it is... I just want to know how to reverse engineer the code so that I can have some fun

Get Oracle VirtualBox and install it, then install XP or something in it...Copy the virtualdisk file so you have a spare clean install to return to after the experiment...then open your email from within VirtualBox.

Gotta love watching your (virtual) machine get taken down

 

[ColinJ]

I received some weird fake UPS messages last year and when I mentioned them on the forum, CC member Mista Preston asked me for more details because he works for UPS and has to deal with such stuff. Why not PM him about it?

 

[ian turner]

Various delivery firms names attached to this. Also a variant claiming you have been zombified as part of a bot net and your broadband cut off to stop you broadcasting spam, details in the attachment.
Given you didn't know what the attachment would do you have less chance of "reverse engineering" the code than the sender had of writing it in the first place given that most of the malware is generated by software purchased from folks who just write the generators and don't do the illegal part.
Reverse Engineering

 

[swee'pea99]

Always google anything like this. Then delete. Bad Stuff.

 

[thomas]

Leave it well alone and delete it! It is a spoof email and the .exe will be a virus.

Only open it if you fancy having your bank details, personal contacts, etc, all stolen, sold and traded. Something tells me you don't really fancy any of that.

 

[Carwash]

Get Oracle VirtualBox and install it, then install XP or something in it...

Gotta love watching your (virtual) machine get taken down

Aaand the relevant xkcd is: http://xkcd.com/350/

 

[amnesia]

I received some weird fake UPS messages last year and when I mentioned them on the forum, CC member Mista Preston asked me for more details because he works for UPS and has to deal with such stuff. Why not PM him about it?

Cheers - will do