Delivery Failure Revisited: Win32/TrojanDownloader.Agent.QXN returns

The Trojan downloader malware Win32/TrojanDownloader.Agent.QXN that showed up in my email about 10 days ago made a return visit today, posing as a pair of emails from the United States Postal Service. The first time the malware showed up it was dressed up, as a package delivery receipt from Canada Post. But this time the presentation was fairly unimaginative, as you can see here.Trojan delivered by fake USPS email

The message is in plain text from an email address that does not resemble a USPS address. The text is not full of typos but it lacks logic and it is, at least to my ears, strangely worded (can you recall any USPS documents that employ the phrase "the recipient's address is erroneous?").

Furthermore, the malware delivery mechanism here is fairly primitive. There is a zip file attached to the email and this contains an executable that the intended victim must therefore extract and run to get infected.

The faked Canada Post delivery mechanism was a plausible URL that triggered a file download. The Trojan itself was presented as a somewhat obscure file type with the extension .PIF, not the more obvious .EXE extension used in this case. The .PIF extension offers the added benefit of being easily confused with .PDF by novice users.

Of course, even an unsophisticated malware delivery system still means that some recipients of this email will execute the Trojan code and open up a back door on their systems, one that may lead to all their data and a whole lot more. Fortunately, this particular piece of malware is widely recognized by antimalware programs. In fact, it is unlikely to make it as far as your in-basket if you are using Gmail or a major ISP. Nevertheless, the fact that this showed up twice in one day in my in-basket serves as a reminder to be vigilant at this time of the year, a time when package delivery is on the minds of many.  

If you want to educate friends and family about how this type of attack works, here is a short video I made using the Canada Post example. Feel free to share it:

Author Stephen Cobb, ESET

  • Rich

    Thanks for this helpful warning.

  • Jocelyne Boudreau

    Thank-you for this clear warning. At my office, I received (and still receive) something that ressembles this e-mail. I don't open them because I never send any packages anyways. But they always come back.

  • Bob McFarland

    Hello, I recently found two Trojan infections during my e-set manual scan. My laptop was running slow so I knew something was up. I was surprised that my E-SET did not stop it in the first place. They both came through as Java updates, so know I am not going to allow any updates from Java until I figure this out. I run Windows automatic updates, but for some reason I get pop ups that tell me there is a Java update available. The only other one that does that is DIV-X I am not updating that either. All other updates come throught the windows update. Here are the Trojans that came through. java/agent DY trojan and java/Exploit.cve-2011-3544. F trojan. Perhaps you could give me some feedback on this as I have had E-SET for agoing on two years and have never had a problem until now.

    • David Harley

      Bob, that really sounds like a product support issue: if you go via the Support tab on the main ESET page, you should be able to contact a support specialist who can help you assess any further risk to your machine. A couple of things: (1) pop-ups are normal for Java update notifications: are you sure that’s where the problem arose? (Just because the product has flagged java-specific malware, that doesn’t mean they were associated with the pop-ups.) I don’t use the DivX codec so can’t comment on its updating at all. (2) You can’t assume that any AV software will stop all malware at the time of download and/or infection. It may be that detection of whatever you have (the second in particular is a fairly generic detection names, meaning that it might include a wide range of malware) was added after they hit your hard drive. The CVE-flagged exploit goes back to October. (3) I’m slightly concerned that you refer to E_SET and E-SET, as we’re aware of fake AV that has used similar names in the hope of being mistaken for a legitimate ESET product.

  • Bob McFarland

    Also, I forgot to mention that E_SET automatically quaranteened the two trojans once I ran the manual scan. I was very surprised that they got through E_SET in the first place. Should they not have been caught automaticly ? Also even though they are now in quarantine, do I need to be concerned about any issues that may have been caused to my laptop. It seems to run fine now, I just am concerned that that there are things lurking in the dak that may cause future problems or gain access to my personal information etc.

  • Father David Edwards

    Thank you! Keep up the good work.


    So how is a .pif handled by win7 anyway?

    • David Harley

      Mr Fawcett, I haven’t looked at this specific binary and don’t claim to be an expert on Windows internals, but I imagine the issue here is that the file isn’t really a PIF (Program Information File) – which could be described as a pseudo-executable in that it doesn’t itself contain executable code – but is treated by Windows in the same way as an .EXE (or other executable) file, using the same function call and responding according to the header rather than according to the filetype. The shell is behaving “correctly” by running code but it’s (slightly anomalously) executing code in the PIF rather than code in a “true” executable. While this aspect of the relevant functions have been misused for many years, I suspect that substantial re-engineering would break more than it fixed.

  • Walter

    Hello Stephen,
    Thanx for the warning but it would have been better had it been more timely.  I see that you sent this December 6 but I did not receive it until January 18th!

    • David Harley

      Hello, Walter.

      This article was indeed posted to the blog on 6th December. I assume, since there is a flurry of comments on it this morning, that it was mailed out from elsewhere (Securing Our eCity perhaps?) and we have no control over that. In fact, we don’t directly manage the RSS feed or Feedburner email subscription: however, if there’s a problem with either of those, by all means let us know here and we’ll pass the message on to the web team.

  • don gottschalk

    Thank you.  One can never know too much about the latest scams.

  • Rob

    i have also been seeing similar e-mails concerning
    pending delivereies from UPS, U.S. Postal Service,  and many
    of the other carrirers.

  • Lenny

    I have seen several of this emal over the past month +.  It sailed right through email into my inbox.  Fortunately ESET was on the job.

Follow us

Copyright © 2017 ESET, All Rights Reserved.