Troj_getegold.a

[Mobo]

This Trojan, detected as TROJ_GETEGOLD.A, specifically targets users with e-gold accounts. E-gold is an integrated account-based payment system mainly utilized for e-commerce.

This Trojan does not employ usual phishing techniques, like logging user keystrokes in text files that can be sent to a remote malicious user. Instead, whenever a user tries to access the e-gold account login form via the URL http://e-gold.com/acct/login.html, it opens a hidden duplicate Internet Explorer (IE) window accessing that same URL. It then proceeds to fill up the duplicate Web form, which eventually leads to illegal account access.

The Trojan periodically drains the funds of the compromised account by a certain percentage. The stolen funds are then transferred to another e-gold account.

To be able to successfully perform this function, this Trojan uses IE’s built-in Object Linking and Embedding (OLE) automation functions. This method is similar to API hooks used by file-infectors. In this case, this Trojan executes certain functions for every change in the URL address that occurs while the user continues to navigate through the e-gold Web pages.

(Note: Object Linking and Embedding (OLE) is a compound document standard that enables a user to create objects with one application and then link or embed them in another application.)

When the Trojan detects that the user is accessing the following URLs, it continues to execute its routines:

* e-gold.com/acct/acct.asp
* e-gold.com/acct/balance.asp
* e-gold.com/acct/spend.asp
* e-gold.com/acct/verify.asp
* https://www.e-gold.com/acct/acct.asp
* https://www.e-gold.com/acct/balance.asp
* https://www.e-gold.com/acct/spend.asp

The Trojan runs on Windows 95, 98, ME, NT, 2000, and XP.

E-gold account holders are advised to constantly monitor e-gold Security Alerts at the following URL:

http://www.e-gold.com/unsecure/alert.html