Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mitigating TROJ_UPATRE using Trend Micro Products

    • Updated:
    • 13 Nov 2015
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.5
    • Deep Security 9.6
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan 11.0
    • OfficeScan 8.0
    • OfficeScan 8.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 10.2
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • ScanMail for Lotus Domino 5.0 zLinux
    • Platform:
    • N/A N/A
Summary

UPATRE was first spotted in August 2013, after the fall of Blackhole Exploit Kit. Its variants usually arrive onto systems as malicious files attached to spammed messages, or as a link to a malicious website hosting the malware itself.

UPATRE malware, upon installation, will download and execute additional malware on the affected system. Some of the downloaded malware by UPATRE are ZEUS, CRILOCK, DYREZA and ROVNIX variants. Such malware severely compromises the security of the system they affect, and in CRILOCK's case, render it useless due to its file-encrypting routines.

New variants of TROJ_UPATRE are now capable of stealing system information such as the affected system’s computer name and operating system. UPATRE samples are using Adobe acrobat as icon for a file using EXE or SCR as extension specifically those attachment on spam mails. This characteristic is highly suspicious yet unique to UPATRE family. Thus, it can be used as indicator for this threat family.

For further information on TROJ_UPATRE variants that we have already detected, click here.

UPATRE: INFECTION CHAIN and LAYERED SOLUTION

UPATRE: INFECTION CHAIN and LAYERED SOLUTION

                                        Click image to enlarge.

Pattern Versions and Release Dates

PatternVersionRelease Date
AntiSpam PatternAS Pattern 1280Jan 24, 2015
Virus PatternOPR 11.415.00Jan 16, 2015
Behavior Monitoring BM PatternOPR 1459Jul 1, 2015
Deep Discovery PatternNCIP 1.12195.00Nov 21, 2014
Damage Cleanup TemplateDCT OPR 1444Apr 2, 2015
Web Reputation Jan 14, 2015
Details
Public
 
Make sure to always use the latest pattern available to detect the old and new variants of TROJ_UPATRE.

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringEmail ReputationAntiSpam PatternWeb ReputationDDI Pattern
OfficeScan10.6 and aboveUpdate Pattern via web consoleUpdate Pattern via web consoleN/AN/AEnable Web Reputation Service*N/A
Deep Security8.0 and aboveN/AN/AN/AN/A
ScanMailSMEX 10 and laterN/AEnable Email Reputation Service*Update Pattern via web consoleN/A
SMD 5 and laterN/AN/AN/A
InterScan MessagingIMSVA 8.0 and aboveN/AEnable Email Reputation Service*N/A
InterScan WebIWSVA 6.0 and laterN/AN/AN/AN/A
Deep DiscoveryDDI 3.0 and laterN/AN/AN/AUpdate Pattern via web console
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Update
Solution Id:
1112974
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.