Blog
Vishal Dodke

Your package has arrived!

September 11, 2011
0
Estimated reading time: 1 minute

The email shown below seems to arrive from United Parcel Service (UPS) International Shipping Company but in reality it is not. In fact, it has a hidden link to a malicious website.

It downloads a binary invoice[random_number].JPG.exe with double extensions which looks as if it is an image file. Quick Heal detects this file as Trojan.Menti.hygd.

When run, “Trojan.Menti.hygd” drops a copy of itself as a randomly named file:
“%APPDATA%random letterrandom letters.exe”

It also creates the registry key shown below to run at the time of Windows bootup:
“HKCUSoftwareMicrosoftWindowsCurrentversionRun{GUID of Windows volume} = “%APPDATA%random lettersrandom letters.exe”

The malware injects codes into the address space of windows processes as below:

This trojan steals sensitive data from the computer so we suggest that users stay away from such emails.

Have something to add to this story? Share it in the comments.

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image