Agent.JEN Trojan spreads trough fake UPS Emails

Adware - Spyware : Agent.JEN Trojan spreads trough fake UPS Emails

Posted by Max on 2008/7/18 14:10:39 (2542 reads)

PandaLabs, Panda Security's malware analysis and detection laboratory, has detected the appearance of a series of emails used to spread the Agent.JEN Trojan. These messages, with subjects like "UPS packet N3621583925", purport to come from the package delivery company UPS. The message body informs the recipient that it was impossible to deliver their postal package and advises them to print out a copy of the attached invoice copy.

The invoice is included in an attached ".zip" file that contains an executable file disguised as a Microsoft Word document with names like "UPS_invoice". However, if the targeted user runs the file, they will be introducing a copy of the Trojan into their computer.

The malicious code copies itself to the system, replacing the Userinit.exe file in the Windows operating system. This file runs the Internet Explorer browser, the system interface and other essential processes. For the computer to continue working properly and in order to avoid raising suspicion of the infection, the Trojan copies the system file to another location under the name userini.exe.

"All of this effort not to be noticed is in consonance with the current malware dynamic," said Luis Corrons, Technical Director of PandaLabs. "Cyber-crooks are no longer interested in fame or notoriety; they are out to get financial returns as silently as possible."

Finally, Agent.JEN connects to a Russian domain (already used by other banker Trojans) and uses it to send a request to a German domain to download a rootkit and an adware detected by PandaLabs as Rootkit/Agent.JEP and Adware/AntivirusXP2008. This increases the risk of infection even more.

"We had seen cyber-crooks use erotic pictures, Christmas or romantic cards, and fake movie trailers as bait to make users run infected files," explains Corrons. "However, it is not usual to see baits like this one. This clearly indicates that cyber-crooks are trying to use baits that do not raise suspicion to spread their creations."

More information is available in the PandaLabs blog:

About PandaLabs
Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security's new security model which can even detect malware that has evaded other security solutions.

Previous article - Next article

Other articles
2010/9/1 14:59:07 - New Acunetix Web Vulnerability Scanner 7 Released !
2010/8/26 4:31:23 - Latest Panda Security Survey
2010/8/25 17:11:47 - NEW August 2010 Symantec MessageLabs Intelligence Report
2010/8/25 17:04:12 - GFI VIPRE Antivirus Earns Gold Level OESIS OK Certification
2010/8/25 16:59:22 - NEW IBM X-Force H1 2010 Report On Global Security
2010/8/24 7:58:12 - Identity Finder Offers Free Identity Protection for College Students
2010/8/24 7:55:18 - ESET NOD32 Antivirus Confident on Southern Africa Security Market
2010/8/24 7:51:10 - Returnil Virtual System Receives Virus Bulletin's VB100 Award
2010/8/24 7:46:57 - SharperLending’s Appraisal Firewall Technology Keeps Appraisers Independent and Lenders Compliant
2010/8/19 11:01:51 - Avalanche Group Phishing Attacks Decrease in Q2 2010 in Favour of Malware Attacks

The comments are owned by the poster. We aren't responsible for their content.