Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: DHL tracking number emails contain malware (Troj/Bckdr-QSL)

24 Mar 2009   #1

DHL tracking number emails contain malware (Troj/Bckdr-QSL)

Quote   Quote: Originally Posted by
Once again the bad guys are hard at work, spamming out dangerous emails. This morning it's emails which claim to come from DHL, saying they were not able to deliver a postal package you sent on 14th of March because the recipient's address was incorrect.

DHL delivery malicious email

Of course, the emails are not really from DHL.

If you open the file inside the attachment (called you will be infected by the Troj/Bckdr-QSL backdoor Trojan horse, which will attempt to take control of your PC.
DHL tracking number emails contain malware | Graham Cluley's blog

My sister got hit with this via email in a 0-day attack - she was infected as of 8 AM on Monday, 23 March. Symantec did not find anything, at first, until she had already run the executable inside the ZIP file, and it started downloading known viruses. This is a pretty generic Trojan that downloads other trojans and backdoors and viruses to the system and begins a systematic onslaught on the machine, starting with adding proxy settings to IE redirecting it to a local 'server' running on port 7171, and going from there.

The bad news is that when it hoses IE, it also hoses MBAM's ability to update - but fortunately, Sophos has already added it to their definition collection (called IDEs) and you can follow the instructions at Sophos - Removing Trojans including the downloading of the IDEs from Sophos - Download latest virus identity (IDE) files to get rid of most of the infections. Once this is done you can then reset IE to default settings (or, as I walked her through, manually check all your settings (a painstaking 1 hour 25 minute process - We checked *everything* and I had he change some settings that would make her IE a little bit safer) and then you can update MBAM and run a full scan to find the rest of the little buggers and clean yer system.

Her explorer.exe may still be hosed, we'll see - all of this is performed in Safe Mode.

Just to give you and idea - she first called me at 9:56 PM yesterday - and it is now 3:10 AM....

EDIT: Added the following:

Also, Sophos found 1 item corrupt (word doc), 1 was PW protected (a legitimate PW protected Excel spreadshhet - she's a mortgage officer), and a third that it was unable to remove (Major malware) - and it removed 3 viruses.

Then, MBAM comes back and finds *all* of these:

Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

3/24/2009 3:53:10 AM
mbam-log-2009-03-24 (03-53-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207109
Time elapsed: 49 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.

My System SpecsSystem Spec
24 Mar 2009   #2

Win7, Ubuntu 8.04, Mandriva Powerpack 09

Thanks johngalt.

My g/friend manages at DHL (Heathrow) and she sent your post to their IT security in Praque.

But I expect they know by now ...
My System SpecsSystem Spec
24 Mar 2009   #3


I wold hope so - Sophos found that thing *fast*.

Good news for users of MBAM - the newest definitions in MBAM now detect this little puppy thanks to my submission early this morning.
My System SpecsSystem Spec

24 Mar 2009   #4

Win7 Ultimate x64 on Desktop / Win7 Ultimate x86 on laptop / Win7 x86 Starter on Netbook

Thanks for the warning. :)
My System SpecsSystem Spec
25 Mar 2009   #5

DHL tracking emails - request for update on malware, pls

Would greatly appreciate any tips on how to deal with possible infection Which vendors have released solutions, removal programs? Many thanks in advance
My System SpecsSystem Spec
27 Mar 2009   #6


MalwareBytes Anti-Malware as I noted above, and Sophos, as I also noted above.
My System SpecsSystem Spec

 DHL tracking number emails contain malware (Troj/Bckdr-QSL)

Thread Tools

Similar help and support threads
Thread Forum
High number of TCP connections = malware?
Hi everyone, I have noticed that there is an unusually high number of TCP connections to my computer. Resource Monitor shows that I have an average of 50 TCP connections at any given time, even when the computer is idle. Also, the majority of the connections have no PIDs (process ID numbers),...
System Security
Looking for mobile number location tracking software
Hey everyone! i wante a software which can help me to detect the location of the mobile number. if any good program is in your knowledge so please tell me.
Pls, whose scans will detect this and who has a removal program? Thanks
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:52.
Twitter Facebook Google+