Home / malware TrojanDownloader:Win32/Upatre.B
First posted on 23 January 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Upatre.B.
Explanation :
Threat behavior
Installation
TrojanDownloader:Win32/Upatre.B can be installed on your PC by the following malware:
- Trojan:Win32/Alureon.FO
- Trojan:Win32/Tesch.B
When run, TrojanDownloader:Win32/Upatre.B creates the following file:
- %ALLUSERSPROFILE% \Application Data\Mozilla\
.exe, where .exe is hardcoded inside the malware file. For example, %ALLUSERSPROFILE%\Application Data\Mozilla\jbvusrj.exe.
It also creates a scheduled task that runs thie malware at each system start:
- %windir% \tasks\
.job, where .job is hardcoded inside the malware file.
Payload
Downloads updates and other malware
TrojanDownloader:Win32/Upatre.B connects to a remote server to download updates and other malware. The server address is hardcoded in the malware.
We have seen it connect to the following servers:
- bluecreatureoftheseas
com - choose-music
net - dns-rabbit
com - every-documentation
com - further-configuration
com - menaged-recognition
com - net-forwarding
com - net-translscl
com - news-online24
com - one-discovery
com - other-sale
com - pi-forwarding
com - quality-whois
com - the-auto-company
com - shift-company
com - yahyeu-domain
com
It then downloads an updated version of itself and other malware files, including variants of:
- PWS:Win32/Zbot
- TrojanDropper:Win32/Rovnix
The downloaded file is saved as %TEMP%\Java_Update_.exe, for example, %TEMP%\Java_Update_5a8bf3e9.exe
Analysis by Zarestel Ferrer
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
%ALLUSERSPROFILE%\Application Data\Mozilla\.exe, where .exe is hardcoded inside the malware file. For example, %ALLUSERSPROFILE%\Application Data\Mozilla\jbvusrj.exe
- You have this scheduled task:
%windir%\tasks\.job Last update 23 January 2014
