Fake DHL Spam contains fake Windows Update

Malware which is spammed within emails that fake DHL or UPS mails is nothing new. We receive such emails very often, and in most cases the malware attached is a Trojan of the Zbot/ZeuS family which tries to gather online banking account data. In this case the Trojan is part of the Oficla family though, a Trojan which downloads further malicious code after execution.

The email which is spammed by the malware authors uses the social engineering trick that DHL was not able to deliver a package to the user’s address.

After starting the unpacked Windows executable file from the archive, the Trojan downloads a fake antivirus (FakeAV) installer which copycats a Microsoft Windows Update window. The malware authors have been very creative, they added a knowledge base number from Microsoft (which doesn’t exist, by the way) and they even added a description for the “System Security Pack Upgrade”.

After the victim has installed the “upgrade”, the fake antivirus software called “Antimalware Doctor” is starting to search for malware on the computer – and of course finds malware during that task.

As usual for a FakeAV, at the end of the scan, a result window appears which shows that the system is infected and that you need to buy a registered version to remove these infections.

In the end the user has the decision to “continue unprotected” or to “Remove Threats”. When selecting “Remove Threats” to purchase a license, the user gets redirected to the website of the FakeAV authors.

In order to create more trust in the product on the user side, the malware writers put up plenty of renowned awards like “Laptop editors choice” or “Softpedia”. The FakeAV is quite expensive with 43,65 € for one year of absolutly no protection for our taste.

On the bright side, Avira anti malware solutions are protecting from this threat. Avira products detected it as TR/Dldr.FraudLoad.qyk.

Sven Carlsen
Virus Researcher