US Postal Service Email Spam

November 8, 2011

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from US Postal Service spreading in the wild. It contains the new variant of Dofoil Trojan that SonicWALL blocks as GAV: Dofoil.L. This worm also downloads other malware components including trojans and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:


  • USPS Shipment Status IDxxxxxxxx
  • USPS service. Get your parcel IDxxxxxxxx
  • USPS Invoice copy IDxxxxxxxx
  • USPS Tracking number IDxxxxxxxx

Attachment: Post_Label#id{Random Numbers}.zip

The ZIP file attachment contains the malicious executable that disguises itself with the use of Microsoft Word icon as shown below:


Example of the email spam:


If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Creates a copy of itself as %application data%csrss.exe and deletes the original executable file

Downloads other malware:

  • %windir%system32msrepl40A.exe - [ detected as GAV: Swisyn.JYB (Trojan) ]
  • %windir%system32wbcache8.exe - [ detected as GAV: Swisyn.JYB (Trojan) ]
  • sl20.exe - [ detected as GAV: EncPk.WX_3 (Trojan) ]
  • setup.exe - [ detected as GAV: Pirminay.ANW (Trojan) ]
  • 574-01.exe - [ detected as GAV: FakeAlert.BHX (Trojan) ]
  • sssss.exe - [ detected as GAV: Danmec.L (Trojan) ]

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwaregtwbetugt
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Epsilon Squared
    Data:"%Application Data%csrss.exe"
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: TKYDMYTE
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    Value: Dbft

Network Activity:

HTTP GET Requests:

  • http://live{REMOVED}
  • http://suteki{REMOVED}
  • http://image{REMOVED}

DNS Requests:

  • http://live{REMOVED}

Hosts File Modification:

This malware added the following entries to block access to torrent websites.



After Installing the FakeAV application, it will show a Fake Windows Error Alert as seen below:




Clicking the "Scan and fix" Button will scan for errors and show a fake result:


Clicking the "Fix Errors" button prompts the user to buy the fake security software.


SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dofoil.L#email (Trojan)
  • GAV: Dofoil.L (Trojan)
  • GAV: Swisyn.JYB (Trojan)
  • GAV: EncPk.WX_3 (Trojan)
  • GAV: FakeAlert.BHX (Trojan)
  • GAV: Danmec.L (Trojan)