TROJ_UPATRE.ACI

This Trojan arrives as attachment to mass-mailed email messages. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives as attachment to mass-mailed email messages.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Temp%\hidureta.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• http://myip.dnsomatic.com/

It connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.11.51:443
• http://{BLOCKED}.{BLOCKED}.203.43:443
• http://{BLOCKED}.{BLOCKED}.213.123:443
• http://{BLOCKED}.{BLOCKED}.49.11:443
• http://{BLOCKED}.{BLOCKED}.247.74:443
• http://{BLOCKED}.{BLOCKED}.31.6:443
• http://{BLOCKED}.{BLOCKED}.135.103:443
• http://{BLOCKED}.{BLOCKED}.123.210:443
• http://{BLOCKED}.{BLOCKED}.94.38:443
• http://{BLOCKED}.{BLOCKED}.191.245:443
• http://{BLOCKED}.{BLOCKED}.90.166:12198/16A2/
• http://{BLOCKED}.{BLOCKED}.199.21:443
• http://{BLOCKED}.{BLOCKED}.214.102:443
• http://{BLOCKED}.{BLOCKED}.103.27:443
• http://{BLOCKED}.{BLOCKED}.197.50:443
• http://{BLOCKED}.{BLOCKED}.68.78:443
• http://{BLOCKED}.{BLOCKED}.49.117:443
• http://{BLOCKED}.{BLOCKED}.138.154:443
• http://{BLOCKED}.{BLOCKED}.231.11:443
• http://{BLOCKED}.{BLOCKED}.217.188:443
• http://{BLOCKED}.{BLOCKED}.131.116:443
• http://{BLOCKED}.{BLOCKED}.20.53:443
• http://{BLOCKED}.{BLOCKED}.144.177:443
• http://{BLOCKED}.{BLOCKED}.159.18:443
• http://{BLOCKED}.{BLOCKED}.248.235:443
• http://{BLOCKED}.{BLOCKED}.156.246:443
• http://{BLOCKED}.{BLOCKED}.236.173:443
• http://{BLOCKED}.{BLOCKED}.229.215:443
• http://{BLOCKED}.{BLOCKED}.147.66:443
• http://{BLOCKED}.{BLOCKED}.195.6:443
• http://{BLOCKED}.{BLOCKED}.201.222:443
• http://{BLOCKED}.{BLOCKED}.201.61:443
• http://{BLOCKED}.{BLOCKED}.242.203:443
• http://{BLOCKED}.{BLOCKED}.171.44:443
• http://{BLOCKED}.{BLOCKED}.204.114:443
• http://{BLOCKED}.{BLOCKED}.10.116:443
• http://{BLOCKED}.{BLOCKED}.82.80:443
• http://{BLOCKED}.{BLOCKED}.30.156:443
• http://{BLOCKED}.{BLOCKED}.101.67:443
• http://{BLOCKED}.{BLOCKED}.233.105:443
• http://{BLOCKED}.{BLOCKED}.76.211:443
• http://{BLOCKED}.{BLOCKED}.64.45:443
• http://{BLOCKED}.{BLOCKED}.104.170:443
• http://{BLOCKED}.{BLOCKED}.142.189:443
• http://{BLOCKED}.{BLOCKED}.120.43:443
• http://{BLOCKED}.{BLOCKED}.140.7:443
• http://{BLOCKED}.{BLOCKED}.193.210:443
• http://{BLOCKED}.{BLOCKED}.105.164:443
• http://{BLOCKED}.{BLOCKED}.130.9:443
• http://{BLOCKED}.{BLOCKED}.82.66:443

It deletes the initially executed copy of itself