A New Trojan Being Spread Through Fake UPS E-Mail Messages

News

	23 Vote 0	A New Trojan Being Spread Through Fake UPS E-Mail Messages
Contributed by: Eglė Date: 2008-07-18

Panda Security, company that specializes in providing security software solutions, alerted email recipients that it has detected a series of spam messages containing and spreading the Trojan named Agent.JEN. These emails seems to be coming from UPS, the largest shipping carrier in the world.

Panda announced that the Agent.JEN Trojan is attached to the suspicious e-mail message that seems to be sent by the package delivery company UPS. This message contains the subject line "UPS packet N3621583925." However, actually it is sent by someone who maliciously attempts to infect your system with a Trojan.

The message informs a receiver that it was impossible to deliver a package because there is a problem concerning recipient's address. In order to recover the parcel, recipients are advised to download a .zip file and print out a copy of an attached invoice, which has an attached .zip file containing a malicious executable file. This file is disguised as a Microsoft Word document with names like "UPS_invoice" or something similar that includes Agent.JEN Trojan. If users run this file, they inadvertently introduce a copy of the Trojan into their computers.

According to Luis Corrons, Technical Director of PandaLabs, all this effort not being noticed is in accordance with the present malware dynamics: cyber-crooks are no longer interested in fame or notoriety; they are out to take financial returns as silently as possible. We had seen cyber-crooks using erotic pictures, Christmas or romantic cards, fake movie trailers, etc. as lure for making users run infected files. Still, it is not usual to see lure like this one.

In case an infected file is downloaded, the code copies itself to the system. Then, the Trojan copies the system file to another location and replaces Userinit.exe file with userini.exe. Therefore, the computer can continue to function properly but it starts connecting to a Russian domain that is already used by other banker Trojans and uses it in order to send a request to a German domain to download Rootkit/Agent.JEP and Adware/AntivirusXP2008. What is even worse, this increases the risk of further infections.

References:

http://www.securecomputing.net.au

http://news.softpedia.com

http://arstechnica.com

Further reading:

http://www.net-security.org

http://www.itweb.co.za

http://en.wikipedia.org

http://www.pc1news.com/downloads/registry-medic-960.html

User Comments

behaz toufik 2008-09-21

hello: i am an artiste painter!
i complaine the i was so bothered from thos kind of hackers! for this a cuase i need you to send me a trojane for to recuperatingt all my mesage from it s stollers
your s faithefully
artiste painter behaz toufik
i hope the i am talking withe a team witch knew verry well what is the creativitty stolen
thanl yous