Warning: Trojan Picks the Pockets of WebMoney.ru Users

17 May 2001
Virus News

Kaspersky Lab exposes a large-scale Internet defrauding scheme

Kaspersky Lab, an international data-security software-development company, warns users about the detection of the new, exceptionally dangerous Trojan, "Eurosol." This Trojan steals a user's personal account information from the international finance system "WebMoney.ru."

"At this time, we have not received any reports pertaining to the 'break in' of users' computers by Eurosol. However, an analysis of the FTP server-where the stolen information is transferred-allows us to say that more than 300 users are already in the situation where in the near future, their accounts in WebMoney.ru could be discovered to have no funds available," commented Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "This means that the Trojan remains unnoticed on many computers to this very moment."

Kaspersky Lab already has taken the necessary steps in order to stave off this defrauding, and has closed all exploitable Eurosol servers.

Eurosol masterfully cloaks itself under the CC-Bank program, ostensibly allowing for the receiving of money by viewing an advertising module: a user views 15 banners after which CC-Bank, supposedly, provides the number for an actual credit card with a definite account sum; using this information, it is possible to make purchases.

Naturally, this is simply a front for the Trojan to hide its real activity. Following CC-Bank start-up, Eurosol gains access to a computer, scanning the installed hard disks in the search for key files from the client program of the WebMoney.ru Transfer system (http://www.webmoney.ru/eng/index.htm).

WebMoney.ru is an international banking system that offers "Internet currency." The system is designed to allow those wishing not to expose their credit card numbers, or those who simply don't have credits, to make purchases with e-tailers.

In order to receive a victim's personal account information from WebMoney.ru, Eurosol locates the file Keys.kwm (a secret key) and Purses.kwm (a virtual "wallet"). In the case of a successful search, the files are encrypted and sent to a remote FTP server. So as to ensure that the information is successfully transferred, the Trojan neutralizes the installed personal firewall ATGuard. To complete this, Eurosol modifies its settings so that ATGuard doesn't prevent the installation of the TCP/IP connection with the external servers.

After this, the Trojan malefactor is able to obtain the stolen "wallets" and passwords to them from the FTP server, hooking them to his personal WebMoney.ru program copy. Following this, the hacker can transfer any money contained in the WebMoney.ru account to its own money account, or receive cash via postal transfer in the receiver's name.

Detection and removal procedures against Eurosol already have been added to the KasperskyTM Anti-Virus daily anti-virus database update. For detection of Eurosol, we recommend that users conduct a full scanning of all hard drives.

A more detailed description of Eurosol is available in the Kaspersky Virus Encyclopedia at www.viruslist.com.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.

Download the FREE time-limited trial version of Kaspersky Anti-Virus here.

Subscribe to Kaspersky Lab' FREE information service here.