London, July 15, 2008
Panda Security has detected the appearance of a series of emails used to spread the Agent.JEN Trojan. The messages purport to come from the package delivery company UPS.
The message body, with subjects such as “UPS packet N3621583925”, informs the recipient that it was impossible to deliver a postal package sent by them and advises to print out a copy of the attached invoice.
The invoice is included in an attached “.zip” file that contains an executable file disguised as a Microsoft Word document with names like “UPS_invoice”. However, if the targeted user runs the file, they will be introducing a copy of the Trojan into their computer.
The malicious code copies itself to the system, replacing the Userinit.exe file in the Windows operating system. This file runs the Internet Explorer browser, the system interface and other essential processes. The Trojan then copies the system file to another location under the name userini.exe not interfering with the computer’s work and without raising any suspicion of the infection.
“Today’s malware tactics aim to get financial returns as silently as possible and this particular effort is an obvious manifestation of the current malware dynamics”, says Dominic Hoskins, Country Manager, Panda Security UK.
Agent.JEN connects to a Russian domain (already used by other banker Trojans) and uses it to send a request to a German domain to download a rootkit and an adware detected by PandaLabs as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively. This further increases the risk of infection.
“We had already seen cyber-crooks use erotic pictures, Christmas or romantic cards, fake movie trailers, etc. as baits to make users run infected files. However, it is not usual to see bait like this one”, explains Hoskins. “This clearly indicates that cyber-crooks are trying to use bait that does not raise suspicion to spread their creations”.
More information is available in the PandaLabs blog: (http://pandalabs.pandasecurity.com/archive/Fake-UPS-Invoice-Email.aspx)
