Panda Security is warning email recipients that a series of messages purporting to come from package delivery company UPS may in fact harbour the Agent.JEN trojan.
The IT security provider said the suspicious emails have subject text along the lines of “UPS packet N3621583925”. The messages claim that it was not possible to deliver a postal package and advise recipients to print out a copy of an attached invoice.
The ‘invoice', a .zip file, in fact contains an executable file disguised as a Microsoft Word document and is named “UPS_invoice” or similar. By running the file, the user unwittingly introduces a copy of the trojan into their computer.
Once downloaded, the code copies itself to the system and replaces the Userinit.exe file in the Windows operating system, which runs Internet Explorer, the system interface and other essential processes.
The trojan then copies the system file to another location under the name “userini.exe” that does not interfere with the computer's running and therefore does not raise suspicion.
Dominic Hoskins, country manager, Panda Security UK, said: “Today's malware tactics aim to get financial returns as silently as possible and this particular effort is an obvious manifestation of the current malware dynamics.
“We had already seen cyber crooks use erotic pictures, Christmas or romantic cards, fake movie trailers and so on as baits to make users run infected files. However, it is not usual to see bait like this one.”
Agent.JEN connects to a Russian domain that is already used by other banker trojans and uses it to send a request to a German domain to download a rootkit and an adware detected by PandaLabs as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively. These increase the risk of further infection.