Fake UPS Mail

These last days, several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.

The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

The following graph represents the evolution of this malware with regard to the samples received during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.

Trj/Agent.JEN
MD5: 6B4EF50E3E21205685CEA919EBF93476

Rootkit/Agent.JEP
MD5: C65EBF59203CE3F05861398CC41A976A

Adware/AntivirusXP2008
MD5: EF6FFCC71B81B53328B63985B20C3871

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: