Home / malware Win32/Upatre
First posted on 22 May 2014.
Source: MicrosoftAliases :
There are no other names known for Win32/Upatre.
Explanation :
Threat behavior
Installation
The trojan may arrive as an attachment to a spammed email. In the wild, we have seen these emails being spread by the Win32/Cutwail family.
The following are some examples of the attachments:
- .zip - Case_
.zip - Statement of Account.zip
- TAX_
.zip - USPS - Missed package delivery.zip
- USPS_Label_
.zip
Examples of the email message:
The threat creates the following file on your PC:
- %TEMP% \
.exe, where is a name hardcoded inside the malware file. For example, %TEMP%\jcbnaf.exe.
Payload
Download updates or other malware
The threat connects to a remote server to download updates and other malware. The server address is hardcoded in the malware.
In the wild, we have seen this malware download updates of itself and variants of Win32/Zbot. It downloads a file that it saves as.exe into the %TEMP% folder. For example, %TEMP%\jadghsu.exe.
We have seen it connect to the following servers to download the file:
- appsredeem.com
- backpackinglight.com.au
- benefitanswers.co.uk
- buyedit.com
- emrlogistics.com
- findsupplychainmanagement.com
- hot-buys.org
- idate.co.uk
- imagevillage.co.uk
- lingayasuniversity.edu.in
- loquay.com
- moraza.com.my
- quantumlightconnections.com
- ren7oaks.co.uk
- thedivineobjects.com
- wavetmc.com
Recent variants of Win32/Upatre use encryption to disguise the presence of Win32/Zbot malware.
Analysis by Patrick Estavillo
Symptoms
The following could indicate that you have this threat on your PC:
- You get emails similar to those shown in the Payload section
Last update 22 May 2014
