Home / malwarePDF  

TrojanDownloader:Win32/Upatre.A


First posted on 17 April 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Upatre.A.

Explanation :

Threat behavior

Installation

TrojanDownloader:Win32/Upatre.A can get onto your PC as a spam email attachment.

We have seen the attachment use any of the following file names:

  • -.zip
  • ATO_TAX.zip or ATO_TAX_.zip
  • Case_.zip
  • Remit_.zip
  • Statement of Account.zip
  • TAX_.zip
  • USPS - Missed package delivery.zip
  • USPS_Label_.zip


The email can look like any of the following:







TrojanDownloader:Win32/Upatre.A also creates this file on your PC:

  • %TEMP% \.exe, for example, C:\documents and settings\administrator\local settings\temp\jcbnaf.exe


where .exe is hard-coded inside the malware file.

Payload

Downloads updates and other malware

TrojanDownloader:Win32/Upatre.A connects to another server, the address of which is hardcoded in the malware.

We have seen it connect to the following servers:

  • cyclivate.com
  • huyontop.com
  • mytarta.com
  • pentruder.co.uk


It then downloads an updated version of itself and other malware files, including a variant of Win32/Zbot.

The downloaded file is saved as the folowing file in your PC:

  • %TEMP% \.exe, for example, C:\documents and settings\administrator\local settings\temp\jadghsu.exe


Related information
  • Upatre update: infection chain and affected countries describes who drops what, where, how, and the role other malware plays in spreading Upatre.
  • MAPS in the cloud: How can it help your enterprise? provides an overview of how the Microsoft Active Protection Service protects an enterprise software security infrastructure in the cloud.
  • MSRT January 2015 €“ Dyzap details how Dyzap is connected to Upatre.
  • Wire transfer spam spreads Upatre details the spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre.
  • Help keep spam out of your Inbox explains spam prevention.
  • Six tips to help you stay safer online provides basic guidance on protecting devices, information, and your family on the Internet.
  • What is spam? provides basic information about the different types of spam attacks.




Analysis by Rodel Finones

Symptoms

The following can indicate that you have this threat on your PC:

  • You receive an unexpected spam email attachment with a file name similar to any of the following:
    • -.zip
    • ATO_TAX.zip or ATO_TAX_.zip
    • Case_.zip
    • Remit_.zip
    • Statement of Account.zip
    • TAX_.zip
    • USPS - Missed package delivery.zip
    • USPS_Label_.zip

Last update 17 April 2015

 

TOP

Malware :

Family: