{"id":72479,"date":"2011-09-11T06:53:45","date_gmt":"2011-09-11T06:53:45","guid":{"rendered":"https:\/\/localhost\/wordpress\/?p=72479"},"modified":"2011-09-11T06:53:45","modified_gmt":"2011-09-11T06:53:45","slug":"your-package-has-arrived","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/your-package-has-arrived\/","title":{"rendered":"Your package has arrived!"},"content":{"rendered":"<p>The email shown below seems to arrive from United Parcel Service (UPS) International Shipping Company but in reality it is not. In fact, it has a hidden link to a malicious website.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/36.JPG\" alt=\"\" width=\"650\" height=\"206\" \/><\/p>\n<p>It downloads a binary invoice[random_number].JPG.exe with double extensions which looks as if it is an image file. Quick Heal detects this file as <strong>Trojan.Menti.hygd<\/strong>. <\/p>\n<p>When run, &#8220;Trojan.Menti.hygd&#8221; drops a copy of itself as a randomly named file:<br \/>\n&#8220;%APPDATA%random letterrandom letters.exe&#8221;<\/p>\n<p>It also creates the registry key shown below to run at the time of Windows bootup:<br \/>\n&#8220;HKCUSoftwareMicrosoftWindowsCurrentversionRun{GUID of Windows volume} = &#8220;%APPDATA%random lettersrandom letters.exe&#8221;<\/p>\n<p>The malware injects codes into the address space of windows processes as below:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/37.JPG\" alt=\"\" width=\"631\" height=\"49\" \/><\/p>\n<p>This trojan steals sensitive data from the computer so we suggest that users stay away from such emails.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The email shown below seems to arrive from United Parcel Service (UPS) International Shipping Company but in reality it is not. In fact, it has a hidden link to a malicious website. It downloads a binary invoice[random_number].JPG.exe with double extensions which looks as if it is an image file. Quick Heal detects this file as [&hellip;]<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,24],"tags":[22,23,25,40,86],"class_list":["post-72479","post","type-post","status-publish","format-standard","hentry","category-email","category-malware","tag-email-malware","tag-fraudulent-email","tag-phishing","tag-trojan","tag-ups"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72479"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=72479"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72479\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=72479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=72479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=72479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}