Here’s another sample of what’s not safe to open.
Again, the clues are clear, if you’re careful before you click:
- There are punctuation and grammar errors in the message.
- The link that you’ll see when floating the mouse over that ‘Print Label’ link doesn’t match the ‘from’ domain, and isn’t Fedex.com.
- European date format used by a US-based company.
- The logo is a bad jagged paste, and is missing the circle-R symbol for ‘registered trademark’.
- FedEx has no pickup service at their competitor, the “nearest” US Post Office.
Now, that’s already enough information to make me delete the email, but I’ll look a little deeper:
I downloaded the “label” to look–it was “Shipping_Label_US_Westminster.zip” and it held one file, “Shipping_Label_US_Westminster.exe”.
The antivirus I’m running didn’t object to either file; it probably can’t detect today’s variation yet.
I looked inside that file with an extraction program, and found a .rsrc folder, and files .text, .rdata, .data. Inside the folder there were two .ico files, basically desktop icons.
That’s enough to tell me that it appears to be a script to install software. It’s clearly not a label–that would be a PDF or a JPG image.
IMO, the most-likely payload would be a rogue/fake security program, either scare-ware or blackmail-ware. The message itself isn’t infectious, just don’t click that link.
Jerry Stern is webmaster at PC410.com and Startupware.com.