A Windows ScreenSaver executable inside a ZIP file attached to email distributed multiple malware in multiple stages to the computers of hundreds of University of Florida (UF) students and faculty.
Email sent out Monday morning appeared to be from a UF user and had a subject line that read “You have a new fa.” Opening the attachment and executing the SCR file unleashed a little recognized variant of the Upatre downloader trojan which cloned user IDs and sent out email notifications with the subject line “Upatre Infection” to other users in the network.
“When the victim user opened the ZIP archive and ran the SCR executable, they infected their computer with a multi-stage malware suite not recognized by the majority of installed antivirus tools,” UF security specialist Derris Marlin said in a letter to UF users, according to a report in The Gainesville Sun.
In a third stage, spam a mass-mailer was used to “blast out SPAM email from the infected computer or use email transport as a method or replication or both,” Marlin reportedly wrote. The university also discovered evidence that the malware would let attackers infiltrate command and control to commandeer infected computers.
“Attempting to clean a host using only an Upatre cleaning tool will not guarantee that the computer will be cleaned,” the Sun quoted Marlin as saying, after advising that users should reformat, reboot and restore from their most recent backups.
The university's information security (IS) department set up network blocks less than hour after it first received reports of the ugly attack.
“Attempting to clean a host using only an Upatre cleaning tool will not guarantee that the computer will be cleaned,” Marlin said.