This is an automated email sent every 2 weeks
Tony P
http://finance.groups.yahoo.com/group/investmentprograms
***
I've been doing some research on the egold trojan and how accounts are
getting hacked. The scary part is that from what I read, most
anti-virus/spyware programs are not going to catch it because it is
not in their databases yet.
Not only that, this trojan does not activate until after you have
logged into your egold and it uses your own computer to bypass every
security measure, IP confirmation, password SRK, everything.
The trojan uses an exploit in IE to infect your computer. DO NOT USE
INTERNET EXPLORER. I can't stress that enough. Download and use
Firefox. Here is a description that I found on how this trojan works:
This Trojan does not employ usual phishing techniques, like logging
user keystrokes in text files that can be sent to a remote malicious
user. Instead, whenever a user tries to access the
e-gold account login form via the URL
http://e-gold.com/acct/login.html, it opens a hidden duplicate
Internet Explorer (IE) window accessing that same URL. It then
proceeds to fill up the duplicate Web form, which eventually leads to
illegal account access.
The Trojan periodically drains the funds of the compromised account by
a certain percentage. The stolen funds are then transferred to another
e-gold account.
To be able to successfully perform this function, this Trojan uses
IE's built-in Object Linking and Embedding (OLE) automation functions.
This method is similar to API hooks used by file-infectors. In this
case, this Trojan executes certain functions for every change in the
URL address that occurs while the user continues to navigate through
the following e-gold Web pages:
* e-gold.com/acct/acct.asp
* e-gold.com/acct/balance.asp
* e-gold.com/acct/spend.asp
* e-gold.com/acct/verify.asp
* https: //www.e-gold.com/acct/acct.asp
* https: //www.e-gold.com/acct/balance.asp
* https: //www.e-gold.com/acct/spend.asp
(Note: Object Linking and Embedding (OLE) is a compound document
standard that enables a user to create objects with one application
and then link or embed them in another application.)
The Trojan runs on Windows 95, 98, ME, NT, 2000, and XP.
You all need to check your computers for the file named gdiwxp.dll.
This is the most recent variant of the trojan that I could find and
was still popping up in late March. If you have this file on your
computer, you are infected with the egold trojan and and you need to
get rid of it immediately.
I don't know if the file will show up with a simple file search, it
may be a hidden. I used Hijack This to look at my registry for the file.
You can download Hijack This for free at:
http://www.download.com/HijackThis/3000-8022_4-10227353.html
This program is mainly used by people so that they can post a registry
log in the tech forums and ask for help. Don't remove anything in your
registry unless you know what you are doing. Just look for the file
containing gdiwxp.dll.
So far there are 2 known variants of the egold trojan:
gdiw2k.sys and gdiwxp.dll.
If you find the trojan on your computer, you can use Security Task
Manager to get rid of it.
http://www.neuber.com/taskmanager/
I also noticed that RegRun has this file in their trojan database and
can remove it for you.
http://www.greatis.com/appdata/d/g/gdiwxp.dll.htm
Again, DO NOT USE INTERNET EXPLORER!!!!!!
Mozilla Firefox browser download
Edited to add: I posted this information on another forum and within
five minutes someone who had their egold hacked on March 31st found
the gdiwxp.dll file on their computer so this must still be the one
making the rounds. They also posted that after they were hacked, they
started using Firefox with no problems.
One of the symptoms that you are infected with this trojan is that you
get the wrong turing number page (at egold) every time you try to log
in. On the page you are redirected to, the links at the top of the
page will not work.
Tidak ada komentar:
Posting Komentar