Video Screencast Help

Simple Fix For The New UPS Virus

Created: 15 Jul 2008 • Updated: 06 Sep 2010 | 14 comments

I'm a tech and one of our clients unfortunately opened the attachment on the new UPS virus,everything went nuts!Here are the steps I performed to remove it and I've ran multiple scans with Symantec to everything else and came up clean since.

**Note**Right click my computer and go to properties,click system restore tab and turn it off,otherwise you're saving your virus!

1:delete the email from the sent items,inbox,outbox and deleted items in Outlook.

2:delete every file (not folders) from your "c:/documents and settings/yourusername/localsettings/temp" folder (I suggest using spybots file shredder with a 5 pass overwrite)

3:reboot and rerun a few cleanup scans with your antispy/malware and then with your antivirus and you should be good to go.

Simple as that!

Comments 14 CommentsJump to latest comment

gagirl's picture

Yeah like an idiot I opened the email also and now my computer has gone crazy.  I can't even log on.  Every time I do it logs me off and reboots.  You got a solution for that? 

realmsman's picture

try safe mode or use a winternals disk and go in that way.

Smileyville's picture

I ran across your thread due to issues with my Endpoint Client.  However; you caught my attention and I was looking for informaiton on this virus so I can pass to my users and avoid what you experienced.  However; I don't see it listed, do you know what the actual name is for this virus?

 

Thanks.

David-Z's picture

Found an article with some information on this:

http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm

Hope that helps!

Message Edited by David-Z on 07-16-2008 12:12 PM

David Z.

Senior Principal Technical Support Engineer, Symantec Corporation

Enterprise Security, Mobility and Management

Paul Murgatroyd's picture

I was "lucky" enough to receive this on my home email system, SEP detects it as "Downloader"

 

hth

 

 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

NL 2's picture

Preliminary Removal: Use msconfig in safe mode, simple startup items to uncheck. They will be obvious. Buritos.exe and braviax.exe in my case.

 

Summary: Attachment claiming to be invoice zip to be printed and taken to UPS to claim undelivered package. 

 

Experience Detail: One of my users opened the email and was infected by this virus. Symantec Antivirus 10.1.6.6000 did not pick it up. After manual removal, Symantec Antivirus was no longer operational, and after two hours on the phone with Symantec Support, we still could not reinstall SAV or SEP. See external link below, I found an article which states that only 8 out of 34 antivirus engines picked this up. F-Prot calls it W32/Agent.HFN. After two hours, unable to reinstall any Symantec protection, even after running cleanup tools, completely removing all Symantec traces from hard drive and registry, AVG installed in five minutes and immediately recognized and removed the infected attachment from the email.

 

Current Status: LiveUpdate will not install on this machine now, and causes SEP and SAV installs to fail. Cannot install as a standalone download, version 3.3, either. A work in progress!

 

External references: http://blog.mxlab.be/2008/07/20/ups-tracking-number-trojan/

sLIVER's picture

gagirl wrote:

Yeah like an idiot I opened the email also and now my computer has gone crazy.  I can't even log on.  Every time I do it logs me off and reboots.  You got a solution for that? 

 

The virus sometimes deletes the userinit value from the winlogon key in the registry.

 

Run regedit, and go to the following key:

 

HKLM\software\microsoft\windows nt\currentversion\winlogon

 

make sure the string key is there:

 

Userinit    REG_SZ   C:\WINDOWS\system32\userinit.exe,

 

(yes, comma is there).

 

You can add this line in if it's missing, just make sure the file exists in the windows system32 dir still as sometimes it gets moved to the quarantine folder.

 

 

Message Edited by sLIVER on 07-24-2008 10:09 AM
That Admin Guy's picture

One of my users opened an attachment with this virus today (.zip file) and clicked the .exe.

You know the consequences ... ;-)

 

In addition to buritos.exe, karina.dat (both of which are found at multiple locations), I also found the userinit registry setting which had been modified (see post above).

Moreover, it seemed beep.sys had been corrupted. You should delete beep.sys (system32\drivers, system32\dllcache) and replace it with a clean version.

 

After getting rid of the corrupted beep.sys, the taskbar notification "click to install anti-spyware software software" seemed to disappear and I was finally able to reinstall Symantec anti-virus.

Gerry1222's picture

After following all the above instructions when I tried to login in I only got and empty desktop. No start menu or icons. I could only perform ctl-alt-del to get the task manager. Explorer was not running. Trying to run it got the message that it could not be found. Even if I browsed to the program. I re-installed XP from the CD using the repair option still the same thing. If I renamed explorer.exe to explorer2.exe I could run it. Got things to work by changing the shell option in HKLM\software\microsoft\windows nt\current version\winlogon. I copied explorer.exe to explorer2.exe and changed the shell option to c:\windows\explorer2.exe. Still looking for what is disabling explorer.exe

 

Gerry1222's picture

Found out why explorer.exe wouldn't run. The virus added and entery  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe. This is apparently a feature for debugging. When explorer.exe is called whatever is enter here runs instead of the named program. All you have to do is delete it. And of course change my shell back to explorer.exe. See previous post. Good Luck.

Gerry1222's picture

Deleted HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe. Then changed the shell back to explorer.exe. Now it works.

Denithor's picture

Please do not try to use msconfig to "fix" startup items, yes, it will temporarily make the startup item go away, but it is a bad practice to use on a regular basis.

Refer to http://support.microsoft.com/kb/310560 and actually read the whole article if you want to know why not to use msconfig.

Many times, the virus will be using that method to take control of your computer.  You want msconfig to be in Normal startup mode to ensure that viruses/malware/spyware are not using it as a means to propagate themselves.

 

LIAMT's picture

i find it staggering that end-point still cannot prevent against this virus... even though it is 3 months old!

 

we are currently looking at much better AV packages now as we cannot trust endpoint for protection any more!

 

bad form symantec - lost another customer!

jeshurun's picture

I woke up this morning and found this email in my spam folder. So I googled around and found this thread. Wondering what all the excitement was about, I eagerly opened the zip file and double clicked the exe file. Nothing. So I tried it again but still nothing. Then it suddenly dawned on me that i was running Ubuntu and these LINUX boxes dont run these things. Damn it! Good luck with cleaning up people... Hope you consider switching to open source alternatives at least on days like these.