UPS Scam Email with Trojan Malware: "FFF Service! Package is available for pickup!"

"United Parcel Service notification with attached zip file: United Parcel Service"

Have you received an email appearing to be from "United Parcel Service (", telling you that "United Parcel Service notification with attached zip file: United Parcel Service"; with an attachment, saying "Attached to the letter mailing label contains the details of the package delivery. You have to print mailing label, and come in the United Parcel Service ( office in order to receive the packages"

It is a scam and malware.  If you click to open the attached file (typically, it is a zip file), you will open a virus or other malware.  One report from says the email contains the zip archive, which once extracted, opens a Trojan, the 36 kB large file UPSINVOICE.exe.

Opening the attached file can install a trojan on the user's computer. Once installed, the trojan can send information to malicious servers and may download other malware.

The scammers rely on the fact that many recipients may open the attachment out of simple curiosity or concern. You should always be very cautious of any unsolicited emails that claim that a package delivery has failed or been returned. No legitimate delivery company will send notice of a failed delivery via an unsolicited email. Especially not with an attachment.

Sample Scam and Malware Email: United Parcel Service (

March 23, 2011, CFR received the following email, with the subject:

 United Parcel Service notification:


-----Original Message-----
From: UPS Express  []
Sent: Friday, April 26, 2013 9:48 AM
Subject: USPS delivery failure report



The courier company was not able to deliver your parcel by your address.


Cause: Error in shipping address.


You may pickup the parcel at our post office.


Please attention!

For mode details and shipping label please see the attached file.

Print this label to get this package at our post office.


Please do not reply to this e-mail, it is an unmonitored mailbox!


Thank you,

UPS Logistics Services.



This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You

How to identify the scam and malware

The email is typically sent from a spoofed address, making it look like: 'United Parcel Service <>' where ABC could be any of the following:



What happens if you open the attached ZIP file?

The email contains the zip archive, once extracted the 36 kB large file UPSINVOICE.exe is available. The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

The following files are created:


Recommendations- What to do:

  • Only open email or IM attachments that come from a trusted source and that are expected
  • Use an anti-virus/anti-spam package (we recommend Norton 360 or Norton Internet Security scan all attachments prior to opening. Click here to see Norton 360 2013 on .
  • Delete the messages without opening any attachments
  • Do not click on links in emails that come from people you do not know and trust, even if it looks like it comes from a company you know.
  • Keep your anti-virus software up to date
  • Keep your operating system up to date with current security patches. Click here for an article that describes how to do this.

And please let us know about any suspicious calls or emails you receive.  We look for patterns so that we can alert the authorities and victims to new scams, before it is too late!

For a comprehensive list of national and international agencies to report scams, see this page./a>