The Microsoft Malware Protection Center (MMPC) reports a rise in the spread of the Win/32.Upatre Trojan. Upatre is spread via email attachment. Once it has infected a machine its purpose is to download further malware. The chart below shows the uptake in Upatre infections.

The most commonly downloaded Malware by Upatre is Win32/Zbot.gen!AM which steals credentials and allows the criminals to control the infected machine. Another commonly downloaded Malware by Upatre is TrojanDropper:Win32/Rovnix.I which writes malicious code to the NTFS boot sector. Rovnix injects code into explorer.exe for the purpose of downloading more Malware from youtubeflashserver[dot]com on every reboot of the infected machine. Other sites Upatre downloads Malware from are mytarta[dot]com, cyclivate[dot]com, pentruder[dot]co[dot]uk, and huyontop[dot]com.

Upatre is spread using the following attachments where ‘<variable names>’ can be domains, company, and individual names, or even random letters or words: USPS_Label_<random number>.zip, USPS – Missed package delivery.zip, Statement of Account.zip, <number>-<number>.zip, TAX_<variable names>.zip, Case_<random number>.zip, Remit_<variable names>.zip, ATO_TAX.zip, and ATO_TAX_<variable names>.zip.

Remember to only open email attachments from senders you can verify, and always scan all attachments with antivirus software.