Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Doctor Web warns users about malicious spam spreading a dangerous Trojan

June 22, 2012

Russian information security company Doctor Web is reporting on the spread of malicious spam, purportedly originating with carrier service UPS, that is distributing Trojan.Inject1.4969. This malware can steal information, download other applications from remote servers, and execute commands received from intruders.

In late June, many users received e-mails supposedly from UPS. Such messages contain a delivery failure notification. Criminals prompt the potential victim to fill in an attached form in which they are to specify a correct delivery address. The attached zip-archive contains an executable featuring the Microsoft Word document icon. If the option to hide extensions for known file types is enabled in the operating system, the unsuspecting user might try to open the "document", thus launching the malicious program.

screen

In the infected system, Trojan.Inject1.4969 copies itself into the current user's Application Data folder, deletes the original file, and registers itself in the registry branch responsible for the automatic launch of applications. Then Trojan.Inject1.4969 runs explorer.exe, injects its code into the process, and then tries to inject it into all processes currently running on the system. Once malicious code is copied into the processes explorer.exe, iexplore.exe, or firefox.exe, the Trojan sets an HTTP connection to control servers whose addresses are stored in its code. The Trojan horse uses MS Windows CryptoAPI to encrypt its requests.

Trojan.Inject1.4969 collects information about the current user profile and steals and forwards Mozilla Firefox and Internet Explorer cookies to the attackers, which may result in compromised user accounts. In addition, the Trojan is able to execute on the infected computer control commands received from a server, such as redirect requests to the Windows shell, and requests to download and run applications; the Trojan can also send the criminals files and information about the contents of a specified directory located in the compromised system.

Doctor Web is once again urging users to exercise caution when opening e-mail attachments. Some of these attachments may pose a serious threat to information security.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040