These last days we have observed several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.

The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

The following graph represents the evolution of this malware with regard to the samples received in our laboratory during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.

 

Trj/Agent.JEN
MD5: 6B4EF50E3E21205685CEA919EBF93476

Rootkit/Agent.JEP
MD5: C65EBF59203CE3F05861398CC41A976A

Adware/AntivirusXP2008
MD5: EF6FFCC71B81B53328B63985B20C3871