cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Support Perspective: Downloader.Upatre

Brandon_Noble
Not applicable
Employee
‎12-19-2014 11:51 AM

Support is seeing an influx of calls on a spam attack with a Downloader.Upatre threat.

Because the threat is a downloader and the downloaded files have differing behaviors the following is general information on what we are seeing.

 

The threat generally:

  •          Arrives as in a .ZIP attachment
  •          Is initially a .SCR file, but will re-write itself as a .exe after execution
  •          Files names follow a similar naming convention
    •    document81723.scr
    •    payment_ref02812_pdf.scr
    •    fax8642174_pdf.exe
    •    document18731.scr
    •    payment-confirmed2763_pdf.scr
  •          Downloads additional threats and backdoors. These include: Infostealer.Dyranges, Backdoor.Trojan, and Trojan Horse
  •          May be detected as Downloader.Upatre, Trojan.Gen.Smh
  •          May include a non-executable threat artifact.

 

Remediation is fairly starightforward

  1.        Submit the file; get defs, and a *SCRIBE report.
  2.        Block all C&C communications noted in the report
  3.        Scan and Remove the threat
  4.        Reboot
    * we have had some cases where a reboot was required to remove the threat from memory. We are suggesting a reboot on all machines where the threat was allowed to execute.

    *Because the secondary threats may not be the same for each infection it’s important to get new submissions and stay flexible in your troubleshooting.

    *We have had several reports of one of the secondary threats having mass mailing capability as well. This is unconfirmed.

    *Whats a SCRIBE Report?
    A SCRIBE report is provided to all enterprise submissions and provides technical analysis of the threat. It usually arrives about an hour after the inital submission.

Support Notes:

  •          Spam attacks should be blocked by a spam filter and should not be allowed to reach the desktop at all. This scenario allows for a much faster conception to infection model.
  •          These are wide spread indiscriminate attacks and that they do not appear to be targeted.
Customers that have been attacked once are likely to be attacked again with a new variant designed to avoid detection...usually within 24 hours.