Kaspersky Lab unveils a large-scale Internet defrauding scheme
Kaspersky Labs, an international data-security software-development company, warns users about the detection of the new, exceptionally dangerous Trojan, “Eurosol.” This Trojan steals a user’s personal account information from the international finance system “WebMoney.”
“At this time, we have not received any reports pertaining to the ‘break in’ of users’ computers by Eurosol. However, an analysis of the FTP server-where the stolen information is transferred-allows us to say that more than 300 users are already in the situation where in the near future, their accounts in WebMoney could be discovered to have no funds available,” commented Denis Zenkin, Head of Corporate Communications for Kaspersky Labs. “This means that the Trojan remains unnoticed on many computers to this very moment.”
Kaspersky Labs already has taken the necessary steps in order to stave off this defrauding, and has closed all exploitable Eurosol servers.
Eurosol masterfully cloaks itself under the CC-Bank program, ostensibly allowing for the receiving of money by viewing an advertising module: a user views 15 banners after which CC-Bank, supposedly, provides the number for an actual credit card with a definite account sum; using this information, it is possible to make purchases.
Naturally, this is simply a front for the Trojan to hide its real activity. Following CC-Bank start-up, Eurosol gains access to a computer, scanning the installed hard disks in the search for key files from the client program of the WebMoney Transfer system (http://www.webmoney.ru/eng/index.htm).
WebMoney is an international banking system that offers “Internet currency.” The system is designed to allow those wishing not to expose their credit card numbers, or those who simply don’t have credits, to make purchases with e-tailers. According to the company site, “WebMoney’s prepaid accounts dramatically reduce the incidence of fraud that merchants experience from handling credit card transactions, especially from buyers located in other countries.”
In order to receive a victim’s personal account information from WebMoney, Eurosol locates the file Keys.kwm (a secret key) and Purses.kwm (a virtual “wallet”). In the case of a successful search, the files are encrypted and sent to a remote FTP server. So as to ensure that the information is successfully transferred, the Trojan neutralizes the installed personal firewall ATGuard. To complete this, Eurosol modifies its settings so that ATGuard doesn’t prevent the installation of the TCP/IP connection with the external servers.
After this, the Trojan malefactor is able to obtain the stolen “wallets” and passwords to them from the FTP server, hooking them to his personal WebMoney program copy. Following this, the hacker can transfer any money contained in the WebMoney account to its own money account, or receive cash via postal transfer in the receiver’s name.
Detection and removal procedures against Eurosol already have been added to the KasperskyT Anti-Virus daily anti-virus database update. For detection of Eurosol, we recommend that users conduct a full scanning of all hard drives.