FedEx Tracking Detail scam e-mail brings fake anti-virus

Author: , posted: @ 15:17:57

Malicious e-mails titled 'Tracking Detail' are spreading fake anti-virus program named Security Defender.

This example mail came from ( []), had a fake sender "Express Mail Service" <[email protected]> and was titled "Tracking Detail (U)EWT10 275 275 9353 9353".
The contents were as follows:

Fed Ex

Order: SGH-6372-66501641
Order Date: Thursday, 17 January 2013, 11:10 AM
Dear Customer,

Your parcel has arrived at the post office at January 20.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.


Best Regards, The FedEx Team.

FedEx 1995-2012

Here's a screenshot:
Fed Ex Tracking Detail scam, example e-mail

The Get & Print Receipt button actually linked to YRZXKBOWJK.php?receipt=801_389668808 at and started downloading a file named The contents were as expected - PostalReceipt.exe program that has Microsoft Word icon to fool those who still have not enabled the displaying of known file extensions in Microsoft Windows. Detection rate of the particular file is still very low among anti-virus vendors, but even free AV products are able to block Security Defender from installing.
Fed Ex Tracking Detail scam, contents of

Launching the file will download and install rogue anti-virus program named Security Defender. In Windows XP, files will be saved to All Users\Application Data\pcdfata subfolder in Documents and Settings folder. In Windows Vista and newer, the pcfdata subfolder appears in ProgramData folder instead. The files added are app.ico, defs.bin, support.ico, uninst.ico, vl.bin and the main executable with some random name, such as utuwnwqe.exe or baodratw.exe.
Additional copies of the downloader (also named randomly, such as ngupgupp.exe or raciecjr.exe) may be stored in Local Settings\Application Data (in Windows XP) or AppData\Local (in Windows Vista and newer) subfolder of current user profile. Another randomly named file without extension (size 46 kilobytes) is then created in the same location. One or both of these is/are used to prevent from downloading Security Defender twice.
Fed Ex Tracking Detail scam, contents of Security Defender rogue anti-virus program folder

The original PostalReceipt.exe file will be then deleted and to fool users even more, PostalReceipt.txt file will open in Notepad.
Fed Ex Tracking Detail scam, contents of PostalReceipt.txt file

About rogue anti-virus program Security Defender

The scareware program Security Defender puts itself in Notification Area of Taskbar (aka System Tray) and starts blocking the launch of executable files that have .exe extension. This means that most anti-virus and anti-malware programs are unable to start. It will also close Task Manager if it is open.
Security Defender fake anti-virus program, system tray icon

As usual, many fake warnings will appear next, such as "Unknown program is scanning your system registry right now! Identify the theft detected!", "Vulnerabilites found. Serious problems have been detected." and so on. All these are trying to drive victims into buying the rogue program.
Security Defender fake anti-virus program, example System Security Alert - Unknown program is scanning your system registry right now Security Defender fake anti-virus program, example System Security Alert - Vulnerabilities found

Here's how Security Defender's main window and activation dialog look like:
Security Defender fake anti-virus program, main window Security Defender fake anti-virus program, activation dialog

Paying for Security Defender is certainly not an option. Read on to find out how to remove it.

How to remove Security Defender with Malwarebytes Anti-Malware Chameleon

The following instructions presume that Malwarebytes Anti-Malware is already installed.

Because launching of programs with .exe extension is blocked by Security Defender, navigate to the folder where MBAM is installed - for example, C:\Program Files\Malwarebytes' Anti-Malware and open the Chameleon subfolder. This folder contains disguised versions of MBAM emergency tools. Launch (no, this is not Mozilla Firefox really) and press a key when prompted. MBAM will then update its definitions, kill Security Defender task and run a quick scan. This will take up to half an hour.
Fed Ex Tracking Detail scam, removing Security Defender rogue antivirus with MBAM Chameleon

After the scan is complete, click Show Results and then click Remove Selected. If prompted, reboot your computer.

Return to Blog entries Stay up to date with RSS feed.


Latest entries