June 22, 2012

Russian information security company Doctor Web is reporting on the spread of malicious spam, purportedly originating with carrier service UPS, that is distributing Trojan.Inject1.4969. This malware can steal information, download other applications from remote servers, and execute commands received from intruders.

In late June, many users received e-mails supposedly from UPS. Such messages contain a delivery failure notification. Criminals prompt the potential victim to fill in an attached form in which they are to specify a correct delivery address. The attached zip-archive contains an executable featuring the Microsoft Word document icon. If the option to hide extensions for known file types is enabled in the operating system, the unsuspecting user might try to open the "document", thus launching the malicious program.

In the infected system, Trojan.Inject1.4969 copies itself into the current user's Application Data folder, deletes the original file, and registers itself in the registry branch responsible for the automatic launch of applications. Then Trojan.Inject1.4969 runs explorer.exe, injects its code into the process, and then tries to inject it into all processes currently running on the system. Once malicious code is copied into the processes explorer.exe, iexplore.exe, or firefox.exe, the Trojan sets an HTTP connection to control servers whose addresses are stored in its code. The Trojan horse uses MS Windows CryptoAPI to encrypt its requests.

Trojan.Inject1.4969 collects information about the current user profile and steals and forwards Mozilla Firefox and Internet Explorer cookies to the attackers, which may result in compromised user accounts. In addition, the Trojan is able to execute on the infected computer control commands received from a server, such as redirect requests to the Windows shell, and requests to download and run applications; the Trojan can also send the criminals files and information about the contents of a specified directory located in the compromised system.

Doctor Web is once again urging users to exercise caution when opening e-mail attachments. Some of these attachments may pose a serious threat to information security.