Attackers Exploited UPS Name to Spread Trojan
Panda Security's malware analysis and detection lab, PandaLabs, has discovered a chain of e-mails employed to distribute the Agent.JEN Trojan, pretending sent by United Parcel Service, the package delivery firm.
The e-mail content marked "UPS packet N3621583925" notified the receiver that it was not possible to deliver a parcel and direct to take out a print of duplicate appended invoice.
The invoice is enclosed as a ".zip file attachment" and contains an executable file camouflaged as a Microsoft Word text file labeled "UPS_invoice". By running the file, the victim introduces a copy of the Trojan into his machine.
Furthermore, the malware copies itself onto the computer, replacing the Userinit.exe file in Microsoft Windows. This file runs the IE web browser, the user interface and other required procedures. The Trojan then copies the system file to a different memory location labeled as userini.exe, without meddling with the system's function or any fears of corruption.
Then, Agent.JEN Trojan links to a Russian domain (employed by banker Trojans) and use it to send request for downloading a German domain adware and a rootkit identified as Adware/AntivirusXP2008 and Rootkit/Agent.JEP by PandaLabs. This raises the dangers of corruption all the more.
Country Manager of Panda Security in UK, Dominic Hoskins, said that nowadays malware schemes try to obtain fiscal profits very quietly and these attempts are clear indications of the present malware dynamics, as reported by Hexus on July 15, 2008.
However, UPS has sent a formal e-mail alert to its users about the danger. As per UPS, they are aware of the circulating fake e-mail that claimed to have originated from UPS and makes user believe that a UPS delivery couldn't be made. The company advised its users to desist from opening the attachment, and to remove the message directly, as reported by arstechnica on July 15, 2008.
Hackers are not attracted by recognition or infamy; they are interested in monetary gain in the stealthiest manner possible, alleged Luis Corrons, Technical Director at PandaLabs', as reported by marketwatch on July 15, 2008.
Related article: Attackers Use Another ‘Word Flaw’ To Plant Trojan
» SPAMfighter News - 29-07-2008