TROJ_GETEGOLD.A targets users with e-gold accounts. E-gold is an integrated account-based payment system mainly utilized for e-commerce. This Trojan does not employ typical phishing techniques, such as logging user keystrokes in text files that can be sent to a remote malicious user. Instead, when a user accesses the e-gold account login form it opens a hidden duplicate Internet Explorer (IE) window accessing that same URL. It then fills the duplicate Web form, which eventually leads to illegal account access. The Trojan periodically drains the funds of the compromised account by a certain percentage, and the stolen funds are then transferred to another e-gold account. This Trojan runs on Windows 95, 98, ME, NT, 2000, and XP and is currently spreading in-the-wild. Upon execution, this Trojan drops itself as SVHOST.EXE in the Windows folder. It then creates a registry entry that allows it to automatically execute at every Windows startup. When a user accesses the URL http://e-gold.com/acct/login.html, this Trojan opens a hidden duplicate Internet Explorer page of the said URL, which it fills, in order to drain a target user’s e-Gold account. To successfully perform this function, this Trojan uses Internet Explorer’s built-in OLE automation functions. This method is similar to API hooks used by PE viruses. In this case, this Trojan executes certain functions for every change in the URL address that occurs. The following URLs cause this Trojan to execute certain functions: * e-gold.com/acct/acct.asp * e-gold.com/acct/balance.asp * e-gold.com/acct/spend.asp * e-gold.com/acct/verify.asp * https://www.e-gold.com/acct/acct.asp * https://www.e-gold.com/acct/balance.asp * https://www.e-gold.com/acct/spend.asp E-gold account holders should monitor e-gold Security Alerts at the following URL: http://www.e-gold.com/unsecure/alert.html If you would like to scan your computer for TROJ_GETEGOLD.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ TROJ_GETEGOLD.A is detected and cleaned by Trend Micro pattern file 2.245.01 and above.