Alert: Malware FedEx Shipment Notification from reveals a number of bugs in Windows 8 and/or Outlook 2010.

NOTE: If you receive an email from FedEx with an attachment treat the email as malware. In this case the email did have malware attached. But to my surprise, as part of my reviewing the malware attachment I found a number of issues with Windows 8 and/or Outlook 2010 which to me are just as important.

The investigation of the malware received via email with the subject “FedEx Shipment Notification” started off in the same way as usual. When I see multiple emails sent to my email addresses I let others know via my blog. New malware is rarely handled by antivirus software so it represents an exposure for clients.

Using Windows 8/Outlook 2010 I saved the file to a folder on my desktop. The structure of the attachment is typical of malware. A file which looks like a potentially harmless file (in this case a PDF) but with the extension exe which means it is actually a program and usually malicious.

I then submitted the file for analysis and it was not identified as malware. That was strange. I then attempted to extract the contents of the zip file which failed. Again strange. But I just assumed this was a poorly formed file and the author of the email/malware had not created a correctly structure file. I’ve seen this before. But something didn’t feel right. More emails arrived so I decided to investigate further.

I pulled out my Windows XP computer running Outlook 2007 and performed the same steps. This time the attachment was reported as malware and I could extract the contents of the zip file. Windows 8 was for some reason failing to save the file correctly. In one way that is good because the file is thus corrupted and can’t be used to infect the user’s computer. But bad in that Windows 8 is not operating as expected. (It appears the zip file has been created as a multi-volume archive which fails in Windows 8 but is acceptable in Windows XP.)

In addition, when saving the file the first time, as expected for a new file, I wasn’t prompted after I pressed the Save button. But then I went to save the file a second time to replace the file I had already saved and there was no warning the file existed. On the Windows XP computer saving over an existing file gave the prompt asking if I wanted to overwrite the existing file.

I created a new file in Windows 8 with the filename the same as the malware (“Tracking_results_as_of_Nov28.pdf.zip”) but with my own content and sent the file to myself via email. I saved once and as expected no prompt. I save a second time and there was no prompt to overwrite the existing file.

To me this is a real concern. Potentially if a file has a certain name users may inadvertently overwrite an existing file without warning and that is not good. I did some testing and don’t yet know which filenames will overwrite without warning so at this stage all I can do is warn people to be careful when saving a file to your computer. At this stage I’ve only found the problem to occur when saving from Outlook 2010.

In summary;

- The FedEx Shipment Notification I received and currently being sent via email does contain attached malware.
- Under Windows 8 the attached file does not open and appears corrupted but does open correctly under Windows 8. This raises the question as to why files can be extracted under Windows XP but not under Windows 8.
- When saving the file from Outlook 2010/Windows 8 the file can be saved twice with no warning to overwrite. This raises the question as to whether other files can be overwritten without warning.

Recommendations:

- Delete any suspicious FedEx Shipment Notifications with suspicious attachments.
- If you received a legitimate zip file but it appears to be corrupt under Windows 8, forward the email to a Windows XP computer and try extracting the contents on the Windows XP computer.
- When saving a file from Outlook 2010/Windows 8 double check to see if a file with the same name already exists. As a precaution you can save the file to a new folder.

Kelvin Eldridge
www.OnlineConnections.com.au
Call 0415 910 703 if you have a computer related problem.
Servicing Templestowe, Doncaster, Eltham and the surrounding area.