I got my first password stealing trojan yesterday. My, they’re good. I’ve never shopped at Citibank (sorry, Ditta) but for a moment I thought that maybe I had . This was what the email looked like:
Thank you for your online application for a Citibank Home Equity Loan. In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn’t satisfy our minimum needs. Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.
*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
The email came with all the right headers, and my virus checker didn’t notice anything wrong, but the folks at Sophos have identified the attachment as a two component backdoor Trojan, specifically, Troj/Webber-A. The first bit attempts to connect to http://www.joro71.addr.com, download a file to rtdx32.exe in the Windows system folder and execute it. The second bit is a password stealing Trojan that attempts to extract sensitive information from several locations on the system and sends them to CGI scripts at http://weyrauch.addr.com. Yuck. Beware.