Overview
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
|
Minimum DAT
4465 (2005-04-08) Updated DAT4688 (2006-02-02) |
Minimum Engine
5.1.00 File Length36,864 bytes |
Description Added
2005-04-07 Description Modified2005-04-07 |
Malware Proliferation
Characteristics
This detection is for a trojan intended to steal user's credit card details. The trojan is written in Visual Basic, and attempts to fool the user into entering their credentials into their web browser by spoofing legitimate web content.
The trojan is intended to target VISA and MASTERCARD users. Administrators should block access to the following IP address (used for hosting the spoofed web site):
- 66.242.132.195
Symptoms
Display of the popup window and subsequent browser window as detailed below.
Method of Infection
When run, the trojan displays the following popup dialog:
![[VISA and MasterCard Protection Program]](http://vil.nai.com/images/132886-b.gif)
In the background the trojan appends lines to the local HOSTS file, to redirect access to the following sites to a static IP address (66.242.132.195):
- verifiedbyvisa.visa.com
- securecode.mastercard.com
When the "Start" button is clicked, the system default browser is launched, and one of above following URLs opened (depending upon the users choice of radio button).
However, because the trojan has modified the local HOSTS file, the real sites are not opened, instead a spoofed copy of the site on the hackers server. Subsequently, any details the users enters will be harvested by the hacker(s).
Removal
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release.
Variants