A new wave of bogus UPS shipping spam is being used to push a piece of malware which can render PCs unbootable, security company Webroot has warned.
The company's warning relates to a Trojan downloader called ‘tactilol' that appears to turning up either as a zipped attachments with stock UPS shipping confirmation spam, or as a Facebook update.
The attack will undoubtedly have a number of different payloads, but the one that caught Webroot researcher's attention appears to push fake antivirus software, XP defender, which pesters the user with warnings of non-existent malware in the hope that they will pay for a useless license.
As well as interfering with Internet Explorer and Firefox, it resists manual removal with a simple batch file that is executed if it boots with certain files missing. At that point it deletes the Windows NT bootloader component of Windows XP, as well as the entire Windows directory for good measure, rendering the PC useless without a complete re-image.
It is not clear from Webroot's comments whether the technique would affect Vista (which uses a different bootload architecture and files stored in different locations) or Windows 7, but it would not be hard to modify if it doesn't.
The motivation appears to be more functional than spiteful. The authors do not want the malware to be easily analysed and would rather the PC became unbootable.
The combination of UPS (or Fedex) spam with zipped downloaders leading to hard disk disaster does appear to be a theme of recent months on forums, which a number of users reporting that their PCs became unusable after infection.
The phenomenon of spam based on parcel-delivery services is as long-established as it is cunning. UPS and Fedex are popular services for parcel delivery and users can be caught off guard if they are genuinely expecting a delivery. If the user clicks the attachment the best hope on painfully-vulnerable Windows XP systems is that installed antivirus software blocks it, which most should do.