The Microsoft Malware Protection Center (MMPC) is currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre.
It is important to note that customers running up-to-date Microsoft security software are protected from this threat. Additionally, customers with Microsoft Active Protection Service Community (MAPS) enabled also benefit from our cloud protection service.
Upatre typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. Emails in the latest spam campaign (as shown below) claim to have sent the recipient a wire transfer of “$35,292.00” and asks them to open the email attachment.
Figure 1: An example of the latest spam email spreading Trojan:Win32/Upatre
The attachment contains a malicious ZIP file. We have seen it use the name payment1872.zip, but this can change at any time. The file extracts as an SCR file that imitates a screen saver or an Adobe PDF document as shown in the example below:
Figure 2: The extracted file imitates an Adobe PDF or screen saver
Trojan:Win32/Upatre is installed when this file is opened.
During the past week, our telemetry showed this threat was predominately seen in North America and attempts to compromise both consumer and enterprise machines.
Figure 3: Trojan:Win32/Upatre consumer and enterprise machine encounters 9-10 December, 2014
If this threat is successfully installed, it will try and connect to the following URLs to download other malware components:
The downloaded components are encrypted and contain PWS:Win32/Dyzap.H. This threat can steal personal information such as your banking user names and passwords.
Microsoft security products, such as Microsoft Security Essentials, include detection for Trojan:Win32/Upatre and PWS:Win32/Dyzap.H from version 1.189.1849.0. To help stay protected we recommend you keep your security software up-to date.
We also encourage people to join our Microsoft Active Protection Service Community (MAPS). Data from MAPS is used by our analysts to help respond quickly to emerging threats. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1. You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS:
Figure 4: You can take advantage of the Microsoft cloud protection service by enabling the MAPS option in your Microsoft anti-malware security product
We are closely monitoring this and related threats using the telemetry we receive from our customers.