Fake Windows activation phishes data with penalty for users [Update]
Anti-virus software vendor Symantec has reported a phishing program which attempts to extract credit card details from users using what purports to be a Windows activation screen. The latest Symantec anti-virus software detects the malware, which is concealed in a 1 MB .exe file, as Trojan.Kardphisher. It poses a hazard to all computers running Windows 95, 98, NT, 2000, XP or Server 2003 - regardless of whether or not the copy of Windows on the system requires activation.
The malware has a smart way of working: the first time the system is restarted after the Trojan is executed, the phishing program opens a dialog asking the user to activate Windows and provide his credit card details. If the user refuses to enter these details, the computer shuts down automatically. Critically, the Trojan prevents other applications such as Task Manager from running, making it effectively impossible for a user to bypass the dialog.
This is of course potentially much more serious than a mere phishing expedition - it is a blended threat that also denies resources to victims. Although in this instance classified by Symantec as a minimal threat and having superficial aspects in common with long-established fake login scams, the penalty (system shutdown) associated with an attempt to extract credit card details, is indicative of a raising of the stakes by on-line fraudsters which should be recognised as a dangerous trend.
To remove the malware, Symantec recommends starting Windows in safe mode and deleting the Windows registry entries specified in its Security Response. Fully updated anti-virus software should also recognise and be able to remove the malware.
Symantec has informed heise that Vista users are also at risk, although not to the same extent as users of the other vulnerable platforms. Under Vista, a UAC prompt is not raised when the Trojan runs. However it does not prevent Task manager opening, and is also apparently not persistent as it does not write the registry keys, so it will not run again after reboot. Nevertheless it still forces a shutdown if the initial dialog is dismissed. So although the Trojan does not effectively deny access to the system, the phishing threat remains for Vista users.
Symantec have postulated that this Trojan is distributed by email, but there is no hard evidence at this time.
- Trojan.Kardphisher, report from Symantec