Spammed Trojan of the Day Targets the UK
Thursday May 25, 2006 at 9:37 am CST
Posted by Craig Schmugar
McAfee Avert Labs has received over 30 submissions of a new variant of Downloader-ATM in the past 7 hours. Updated DAT files were released earlier today to cover this variant. The trojan was mass spammed as an email attachment named ref 7119606.zip, which contains ref 7119606.exe. The message appears as follows:
————————
From: Valuehost Billing Department [mailto:merchant@valuehost.com]
Subject: [order ref 7119606] Credit Card Chargeback
Message-Id:
Date: Thu, 25 May 2006 10:03:10 -0700 (PDT)
Dear customer,
We have received a notice from your card service stating that there was
a chargeback made by the owner of the card that
you paid for your account with. This is a very serious matter. I have
deducted the amount of the chargeback, GBP 119.40,
from your account and added our standard fee of GBP 25.00 as well. (Now
you can see your payment details in attachment.)
If there was some mistake, please let us know immediately so that we
can get this situation resolved. We ask that you have the chargeback
removed as soon as possible, as our account has already been debited for
the amount in question. If you would prefer to make your payment using a new payment
method that would be fine as well (you can use a different credit card
or you may send a money order payable to
Valuehost).
This is a time sensitive issue and must be resolved promptly at the
request of the card service. Please email the billing team using the
Web Administration Panel with information about how
you are going to deal with this situation.
I thank you for your time and hope to hear from you
soon.
See your payment details in attachment.
Sincerely,
Mark J. Burnett
Valuehost Billing Department
http://www.valuehost.com
————————
When run, ref 7119606.exe downloads a new PWS-Cashgrabber variant. This password stealing trojan targets the following banking sites:
- anbusiness.com
- cahoot.com
- co-operativebank.co.uk
- deutsche-bank.de
- e-gold.com
- hsbc.com
- ibank.barclays.co.uk
- my.if.com
- mybank.alliance-leicester.co.uk
- nwolb.com
- officebanking.cl
- olb2.nationet.com
- pass.de
- santandersantiago.cl
- smile.co.uk
- smile.com
- webbank.openplan.co.uk
- welcome6.co-operativebank.co.uk
- www.bbvanet.cl
In addition to logging keystrokes, the trojan can also take screen shots as a means of stealing user’s website credentials.