Windows activation Trojan can catch the unwary

By Alex Zaharov-Reutt
Saturday, 05 May 2007 22:21

Opinion and Analysis

Watch out – the bad guys have stepped up their Trojan creation nastiness by creating Trojans that look like real Windows alerts which wouldn’t fool experts but could easily catch novices.

Given Microsoft’s well publicized anti-piracy drives, some novice to intermediate users might easily be fooled by a new Trojan horse called “Trojan.Kardphisher” which opens up a relatively realistic looking “Microsoft Piracy Control” dialog box.

Symantec says that Trojan.Kardphisher is a “Trojan horse that attempts to steal credit card numbers by tricking the user into entering their credit card details to activate Windows”.

Frighteningly, if a user falls victim to this Trojan, the rogue software will shut down Windows should the user choose to “activate” their copy of Windows later, something that would easily spook novice and intermediate users into entering their details when they next turn their computer on, because the Trojan instantly activates itself again and prevents you from running other software.

The Trojan, which you can see 'screen 1' of here, and then 'screen 2' of here, is incredibly brazen. Once you choose to “activate” your copy of Windows because the Trojan tells you that “Your copy of Windows was activated by another user”, it asks you to enter in your location, your contact information, your credit card number, your ATM pin number (!), your card’s expiration date and the 3-digit CVV2 number.

The software tells you that your card won’t be charged, but that it needs the details to proceed with activation.

Naturally, if you divulge your real details, they are sent off to the author of the Trojan, who can then use them to steal your identity, rack up credit card debts and do other nasty things.

One suggestion from the web on dealing with the Trojan should you find yourself infected with it is to simply enter in fake details, simply so that you can get past the “activation” process and immediately find out how to remove the Trojan from your system. Thankfully, Symantec have posted removal instructions which tell you how to get rid of the Trojan.

If a user does choose to run Windows over the web, the trojan asks the victim to enter location, contact information, credit card number, PIN and card expiration date.

It’s important to know that Microsoft and other companies will NOT ask you to enter credit card details and other information for the simple purpose of activating software. Of course, you will be asked for some personal information if you are registering software you have just purchased, and we may well see attempts by the ‘bad guys’ to now create registration Trojans that look ever more realistic.

The attempts at ‘social engineering’ to get you to voluntarily hand over sensitive private details are only going to increase, making it ever more imperative that users become ultra web-savvy, as well as protected as much as possible by Internet Security Suites from companies such as Symantec, McAfee, Trend Micro, ZoneAlarm, AVG and others, along with protective anti-phishing software such as TrustDefender www.trustdefender.com.

If ever in doubt – err on the side of caution and never enter your real details. Get the help of a knowledgeable friend, call the tech support department of the software or hardware you are using, ask questions – don’t just hand over personal details that could expose you to identity theft, fraud and more – and make sure that you are using the very latest security programs and make sure their automatic update features are permanently turned on.