The email may carry the FedEx logo and a fairly clean layout; however, the subject line & sender details should serve as a red flag that something is amiss. Here’s the email:
Subject: Tracking Detail (170)10-170-170-6365-6365
From: Priority Shipping Service (user.p[at]seattle.com)
Order Date: Tuesday, 26 November 2012, 10:17 AM
Your parcel has arrived at the post office at November 28. Our postrider was unable to deliver the parcel to you.
To receive a parcel, please, go to the nearest our office and show this postal receipt.
GET POSTAL RECEIPT
Best Regards, The FedEx Team.
The hyperlink included in the email doesn’t point to fedex.com, but a third-party site that will automatically download the file, Postal-Receipt.zip onto your computer.
To no surprise, Postal-Receipt.zip doesn’t contain your postal receipt, but malware identified by ESET Endpoint Antivirus as Win32/TrojanDownloader.Zortob.B (which I refer to simply as “Zortob.B”).
Zortob.B (aka Win32/Kuluoz!zip to Microsoft) is often attached to fraudulent delivery notices like the one shown above, and should it successfully infect your machine, will attempt to steal login credentials & files from your computer.
Protect Your PC from the Zortob.B Trojan
Since Zortob.B is often delivered via malicious spam, it is strongly recommended that you:
- Avoid downloading files or clicking links attached to unsolicited emails.
- Always run antivirus software that offers real-time scanning.
- Use your computer under a user account with limited privileges.
- Keep your operating system and installed software fully patched & up-to-date.
Removing a Zortob.B Infection
If you suspect that your system may have been infected with the Zortob.B Trojan, it is recommended that you run a full system scan with an up-to-date antivirus solution. We recommend using antivirus products offered by one of the following vendors as they are known to be capable of detecting this threat:
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+