Also detected as:
Win32/TrojanDownloader.Waski.B trojan (ESET),
The following can indicate that you have this threat on your PC:
detects and removes this threat.
This trojan can download and install other programs, including other malware, onto your PC.
It can be installed on your PC from a spam email attachment.
This threat is one of the many variants of the Upatre malware family. See the Win32/Upatre family description for more information.
Use the following free Microsoft software to detect and remove this threat:
You should also run a full scan. A full scan might find other hidden malware.
Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.
Check if MAPS is enabled in your Microsoft security product:
Select Settings and then select MAPS.
Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
TrojanDownloader:Win32/Upatre.A can get onto your PC as a spam email attachment.
We have seen the attachment use any of the following file names:
The email can look like any of the following:
TrojanDownloader:Win32/Upatre.A also creates this file on your PC:
where <dropped file>.exe is hard-coded inside the malware file.
Downloads updates and other malware
TrojanDownloader:Win32/Upatre.A connects to another server, the address of which is hardcoded in the malware.
We have seen it connect to the following servers:
It then downloads an updated version of itself and other malware files, including a variant of Win32/Zbot.
The downloaded file is saved as the folowing file in your PC:
Analysis by Rodel Finones
Take these steps to help prevent infection on your PC.
I want to...
Note: Your feedback is very important to us, however we do not respond to individual submissions through this channel.
If you require support, please visit the
Safety & Security Center.