TROJ_GETEGOLD.A

Discussion in 'malware problems & news' started by Randy_Bell, Nov 12, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    TROJ_GETEGOLD.A targets users with e-gold accounts. E-gold is an integrated account-based payment system mainly utilized for e-commerce. This Trojan does not employ typical phishing techniques, such as logging user keystrokes in text files that can be sent to a remote malicious user. Instead, when a user accesses the e-gold account login form it opens a hidden duplicate Internet Explorer (IE) window accessing that same URL. It then fills the duplicate Web form, which eventually leads to illegal account access. The Trojan periodically drains the funds of the compromised account by a certain percentage, and the stolen funds are then transferred to another e-gold account. This Trojan runs on Windows 95, 98, ME, NT, 2000, and XP and is currently spreading in-the-wild.

    Upon execution, this Trojan drops itself as SVHOST.EXE in the Windows folder. It then creates a registry entry that allows it to automatically execute at every Windows startup. When a user accesses the URL http://e-gold.com/acct/login.html, this Trojan opens a hidden duplicate Internet Explorer page of the said URL, which it fills, in order to drain a target user’s e-Gold account.

    To successfully perform this function, this Trojan uses Internet Explorer’s built-in OLE automation functions. This method is similar to API hooks used by PE viruses. In this case, this Trojan executes certain functions for every change in the URL address that occurs.

    The following URLs cause this Trojan to execute certain functions:

    * e-gold.com/acct/acct.asp
    * e-gold.com/acct/balance.asp
    * e-gold.com/acct/spend.asp
    * e-gold.com/acct/verify.asp
    * https://www.e-gold.com/acct/acct.asp
    * https://www.e-gold.com/acct/balance.asp
    * https://www.e-gold.com/acct/spend.asp

    E-gold account holders should monitor e-gold Security Alerts at the following URL:
    http://www.e-gold.com/unsecure/alert.html

    If you would like to scan your computer for TROJ_GETEGOLD.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    TROJ_GETEGOLD.A is detected and cleaned by Trend Micro pattern file 2.245.01 and above.
     
Thread Status:
Not open for further replies.