Home / malwarePDF  

TrojanDownloader:Win32/Upatre.AF


First posted on 14 October 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Upatre.AF.

Explanation :

Threat behavior

Installation

TrojanDownloader:Win32/Upatre.AF can be installed on your PC when you open a spam email attachment. We have seen the attachment use the following names:

  • document__pdf.zip (Example: document_234787_pdf.zip)
  • fax-message_pdf.zip
  • Your document.zip


We have also seen a malicious link to download the malware within the spam email, for example:

Subject: Fax

You have received a new fax. This fax was received by Fax Server.

The fax has been downloaded to dropbox service (Google Inc).

To view your fax message, please download from the link below. It's operat ed by Dropbox and safety.

http://al-katech.com//.html

Received Fax Det ails

---------------------------------------------------------------- ---------------------- Received on: 16/09/2014 08:14 AM Number of Pages: 1 From (ID): 503-879-32265 Duration of Fax: 0:00:29 Transfer Speed: 4400

Received Status: Success

Num ber of Errors: 0

Port Received: NP_104

------------------------ ------------------------------------------------------------

T his e-mail has been sent from an automated system.

PLEASE DO NOT REP LY.

The information contained in this message may be privilege d, confidential and protected from disclosure. If the reader of this messag e is not the intended recipient, or an employee or agent responsible for de livering this message to the intended recipient, you are hereby notified th at any dissemination, distribution or copying of this communication is stri ctly prohibited. If you have received this communication in error, please n otify your representative immediately and delete this message from your com puter. Thank you.

Once the attachment is opened the malware creates a copy of itself on your PC as %TEMP%\.exe, for example %TEMP%\zdpya.exe.

Payload

Downloads updates and other malware

TrojanDownloader:Win32/Upatre.AF connects to remote sites to download updates and other malware. We have seen it connect to the following sites:

  • brucewhite.org/scripts/1709uk2.hit
  • conradhechter.com/mandoc/0810out.soa
  • coud-bec.com/mandoc/0810out.soa
  • itsallaboutrice.com/mandoc/uk2.pdf
  • wushufoods.com/mandoc/uk2.pdf
  • 11jecketoen.de/html/1709uk2.hit


The downloaded file is usually saved in %TEMP% with a random file name.

We have seen this malware download PWS:Win32/Dyzap.D, TrojanSpy:Win64/Dyzap.C and Win32/Vawtrak.

Collects PC information

TrojanDownloader:Win32/Upatre.AF also gets the following information from your PC:

  • Details of your operating system
  • Your PC name


It then connects to a remote server using these details:

  • :///0//0/, for example 94.75.233.13:36112/0710uk2/MYCOMPUTER/0/51-SP3/0/


It also uses a specific user-agent when connecting and downloading from the remote site. We have seen it use the followinf user-agents:

  • Install
  • Opera
  • update




Analysis by James Dee

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    %TEMP%\.exe, for example %TEMP%\zdpya.exe

Last update 14 October 2014

 

TOP

Malware :

Family: