Panda, an anti-virus provider, said the suspicious emails have subject lines such as “UPS packet N3621583925.” The messages claim that it was not possible to deliver a package and advise recipients to print out a copy of an attached invoice.
The “invoice” is a zip file that contains an executable file disguised as a Microsoft Word document – it's typically named “UPS_invoice” or something similar. By running the file, the user unwittingly introduces a copy of the trojan into their computer.
Once downloaded, the code copies itself to the system and replaces the Userinit.exe file in the Windows operating system, which runs Internet Explorer, the system interface and other essential processes.
The trojan then copies the system file to another location (under the name “userini.exe”) and does not interfere with the computer's operation, thereby allaying suspicion.
Dominic Hoskins, a manager with Panda Security said: “Today's malware tactics aim to get financial returns as silently as possible and this particular effort is an obvious manifestation of the current malware dynamics.”
“We had already seen cybercrooks use erotic pictures, Christmas or romantic cards, fake movie trailers and so on as baits to make users run infected files,” he added. “However, it is not usual to see bait like this one.”
Agent.JEN connects to a Russian domain that is already used by other banker trojans and uses it to send a request to a German domain to download a rootkit and adware detected by PandaLabs as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively. These increase the risk of further infection.