If you have received an email with a confusedly long link for a supposed Wachovia site that looks like http://commercial.wachovia.online.financial.business….cashman766.com/Service.htm, delete it. It seems that users in Great Britain are receiving these messages. That page will serve up file “wachovia_certificatev102.exe”. When run, you do not install certificates new to Wachovia.

Instead, this trojan downloads “cb_1.exe” and runs it, installing multiple password stealing and rootkit components that are not new (but this version of the fraudulent scheme is new). The components, including 9129837.exe (Spyware.Papras) and new_drv.sys (Rootkit.Agent.ex) will steal all web form input (from any and all banks, for example), most any other stored passwords on the system, and send the data off to a server hosted in Singapore.

This entry was posted on Wednesday, June 4th, 2008 at 4:01 pm and is filed under Password stealing, Rootkit, Social Engineering, Spam, Targeted attack, cybercrime. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.