Spamvertised ‘DHL Package delivery report’ emails serving malware

By Dancho Danchev

Cybercriminals are currently spamvertising millions of emails impersonating DHL in an attempt trick end and corporate users into downloading and executing the malicious .zip file attached to the emails.

More details:

Sample message: “Dear NAME, with this message we notify you that shipment at your destination, tracking ID #RANDOM_NUMBER, has FAILED due to an address mismatch. To claim your delivery please print out the attached document and contact DHL US support. Feel free to contact us with further questions. If you would like to speak to a DHL Express Support Agent, please call the DHL Service Desk at 1-800-527-7298.

Spamvertised attachment: DHL report.exe – MD5: 15451d2c4b1630ddf0a2e7414c84b9dd – detection rate – detected by 25 out of 41 antivirus scanners as Gen:Variant.Kazy.74567;

Upon execution, the sample modifies the registry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] -> SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe runs every time Windows starts.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

3 thoughts on “Spamvertised ‘DHL Package delivery report’ emails serving malware

  1. Dear Mr. Dancho Danchev and Webroot Team:

    Thanks a lot. I appreciate so much your help with your comments and advise. I am an old user of Webroot, now Secure Any Where and I do not have any complain in using it in my work computer, it runs smoothly with no interference with other antivirus programs like Norton Symantec End Protection.

    Just great help, no doubt !!!!

    Congratulation for your expertise and thanks again.


    Ricardo Lomelin

  2. Pingback: Spamvertised ‘Your order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

  3. Pingback: Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s