Apr 5, 2011 09:58 GMT  ·  By

Security researchers warn of a new malware distribution campaign which produces emails with malicious attachments that pose as delivery notifications from DHL.

The rogue emails have a subject "DHL Express Services" and their headers have been forged to appear as originating from a @dhl.com address.

They inform recipients that their package is on its way and tells them to read the attached document for more information and to obtain the tracking number. The enclosed message reads:

"Dear customer. The parcel was sent to your home address. And it will arrive within 3 business day. More information and the tracking number are attached in document below. Thank you."

The attached document is called dhl.zip and contains an executable file of the same name which is a trojan downloader.

This threat is responsible for downloading additional malware including a fake antivirus called XP Home Security, according to Vietnamese security vendor Bkis.

Judging from dates of scans and comments on Virus Total for the malicious files involved in this attack, the campaign began sometime over the weekend.

It also appears to have different variations, one using FedEx as cover, probably using similar fake package delivery notifications.

This lure has been re-used in malware distribution for years now, which suggests that despite repeated warnings there are still enough people who take the bait.

At the moment, the fake antivirus program dropped by this infection has a very low detection count on Virus Total with only 4 in 40 antivirus engines detecting it based on signatures and heuristics.

These rogue programs are also known as scareware because they try to scare users into paying for licenses in order to clean infections that don't exist.

Users are advised to exercise caution when dealing with attachments in emails. Services like Virus Total can be used to scan them in order to get an indication if they are malicious or not.