Malware That Downloads Malware

The Microsoft Malware Protection Center (MMPC) reports a rise in the spread of the Win/32.Upatre Trojan. Upatre is spread via email attachment. Once it has infected a machine its purpose is to download further malware. The chart below shows the uptake in Upatre infections.


The most commonly downloaded Malware by Upatre is Win32/Zbot.gen!AM which steals credentials and allows the criminals to control the infected machine. Another commonly downloaded Malware by Upatre is TrojanDropper:Win32/Rovnix.I which writes malicious code to the NTFS boot sector. Rovnix injects code into explorer.exe for the purpose of downloading more Malware from youtubeflashserver[dot]com on every reboot of the infected machine. Other sites Upatre downloads Malware from are mytarta[dot]com, cyclivate[dot]com, pentruder[dot]co[dot]uk, and huyontop[dot]com.

Upatre is spread using the following attachments where ‘<variable names>’ can be domains, company, and individual names, or even random letters or words: USPS_Label_<random number>.zip, USPS – Missed package, Statement of, <number>-<number>.zip, TAX_<variable names>.zip, Case_<random number>.zip, Remit_<variable names>.zip,, and ATO_TAX_<variable names>.zip.

Remember to only open email attachments from senders you can verify, and always scan all attachments with antivirus software.


One thought on “Malware That Downloads Malware

  1. I wanted to thank you for this excellent read!! I certainly
    enjoyed every bit of it. I have got you bookmarked to look at new things
    you post…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s