Malware authors of Kardphisher , now changed the Trojan in such a way that it mimics the Windows XP activation interface. This new Trojan collects credit card, personal information including SSN and other information form the client computer that is being enter by the consumer. Malware authors has made significant improvements over the Trojan user interface, it looks like a real Windows XP Activation Wizard. This new malware application not allow users to close the application unless and until the users enters the credit card information, built in credit card and E-Mail validation and displaying the current product key of windows XP makes this application more legitimate.
Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. A bogus “verified by Visa” message will then request social security number and a date of birth, which makes the Trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonation of Microsoft.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the Trojan creates the following file:
[PATH TO THE TROJAN]\keylog.dll
The Trojan creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soft2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKEY_CURRENT_USER\Software\sft\c
The Trojan pretends to be a legitimate Microsoft activation program and tricks the user into entering their credit card details to activate Windows. The Trojan shuts down the compromised computer if the user does not enter their credit card numbers. The Trojan prevents the user from running or switching to another application or task manager.The Trojan sends the stolen information to the following URL:
[http://]81.29.241.170/in.[REMOVED]
Survival of the fittest!