MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is send from the spoofed address “MyFax <email@example.com>” and has the following body:
Fax image data
The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe.
The trojan is known as Upatre.FH.
The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries. Connections can be established with:
At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total.