June 22, 2012
In late June, many users received e-mails supposedly from UPS. Such messages contain a delivery failure notification. Criminals prompt the potential victim to fill in an attached form in which they are to specify a correct delivery address. The attached zip-archive contains an executable featuring the Microsoft Word document icon. If the option to hide extensions for known file types is enabled in the operating system, the unsuspecting user might try to open the "document", thus launching the malicious program.
In the infected system, Trojan.Inject1.4969 copies itself into the current user's Application Data folder, deletes the original file, and registers itself in the registry branch responsible for the automatic launch of applications. Then Trojan.Inject1.4969 runs explorer.exe, injects its code into the process, and then tries to inject it into all processes currently running on the system. Once malicious code is copied into the processes explorer.exe, iexplore.exe, or firefox.exe, the Trojan sets an HTTP connection to control servers whose addresses are stored in its code. The Trojan horse uses MS Windows CryptoAPI to encrypt its requests.
Trojan.Inject1.4969 collects information about the current user profile and steals and forwards Mozilla Firefox and Internet Explorer cookies to the attackers, which may result in compromised user accounts. In addition, the Trojan is able to execute on the infected computer control commands received from a server, such as redirect requests to the Windows shell, and requests to download and run applications; the Trojan can also send the criminals files and information about the contents of a specified directory located in the compromised system.
Doctor Web is once again urging users to exercise caution when opening e-mail attachments. Some of these attachments may pose a serious threat to information security.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.