Interesting New Approach to Virus Distribution

I'm familiar with the eCard attempt to distribute virus. Something very similar that happened yesterday was that one of my staff members received an email indicating there was a problem delivering their UPS package. When she tried to open it, nothing happened so I asked her to forward it to me. I saw the sender was the United Parcel Service and that there was a tracking number, so I foolishly tried to open the zipped invoice attachment. When two attempts to open the file were unsuccessful, it occurred to me I should have paid more attention to the email. The "tracking number" was 10 digits; as it turns out, the shortest UPS tracking number is 11 digits. Also, the email sender's address was sjx@blcomp.com. Since she was expecting a UPS package, neither one of us paid any attention to the specifics of the email. The virus/trojan did install on my computer and manifested at reboot (after I uninstalled my old Java files). I was able to majorly limit the virus/trojan installation on hers because I disconnected her computer from the Internet before I logged back in to her account. The virus within the file seems to be Backdoor.Paproxy. If it installs (as it did on my computer), the primary infections seem to be Trojan.Gpcoder.E and Trojan.Unclassified.BraviaX.

One of the most interesting things about this smart trojan is that it knew SUPERAntiSpyware and SpybotSD160 would try to remove it. It would not let me run the downloaded files until I changed the names (SAS and SSD160 were how I changed them) AND it knew the executable file would try to remove them so I had to go into the appropriate Program Files folder and change the name of the application executable to stop the malware from blocking them. There really has to be something more productive that these people can do with their time . . .

Thanks to chaslang. I have used his/her malware removal guide on six instances in the last two months. This time it worked with the download/application name changes mentioned above.

Although I did not get HiJack This logs yet, if anyone needs to see the SAS, MBAM, and ComboFix logs for my computer and the secondary computer, let me know. I do seem to have the issue taken care of at the moment.

 

Attached are the SAS, MBAM, and ComboFix logs from my computer (designated as C1) which was significantly infected.

 

Attached is the MGtools zipped log from my computer. I did not run MGtools on the second computer.

 

Please find attached the SAS, MBAM, and ComboFix logs for the second computer (designated C2) which had only minor infection. If you need any additional information, I will comply to the best of my ability.

 

I am not having any trouble with the first computer. I have not been in the office this week so I do not know if they're having trouble with the second computer. I do not have an MGLog for the second computer; however, I can run one next week when I return to the office.

I apologize for any confusion. I posted both computers in the same thread because it was the same malware. I will note for future reference that the computers need to be posted separately.

Thank you for your comments.