Research on the egold trojan and how accounts are getting hacked: The scary part is that from what is available, most ani-virus/spyware programs are not going to catch it because it is not in their databases yet.
Not only that, this trojan does not activate until after you have logged into your egold and it uses your own computer to bypass every security measure, IP confirmation, password SRK, everything.
The trojan uses and exploit in IE to infect your computer. DO NOT USE INTERNET EXPLORER. That can't be stressed enough. Download and use Firefox. Here is a description that was found on how this trojan works:
This Trojan does not employ usual phishing techniques, like logging user keystrokes in text files that can be sent to a remote malicious user. Instead, whenever a user tries to access the
e-gold account login form via the URL
http://e-gold.com/acct/login.html, it opens a hidden duplicate Internet Explorer (IE) window accessing that same URL. It then proceeds to fill up the duplicate Web form, which eventually leads to illegal account access.
The Trojan periodically drains the funds of the compromised account by a certain percentage. The stolen funds are then transferred to another e-gold account.
To be able to successfully perform this function, this Trojan uses IE’s built-in Object Linking and Embedding (OLE) automation functions. This method is similar to API hooks used by file-infectors. In this case, this Trojan executes certain functions for every change in the URL address that occurs while the user continues to navigate through the following e-gold Web pages:
* e-gold.com/acct/acct.asp
* e-gold.com/acct/balance.asp
* e-gold.com/acct/spend.asp
* e-gold.com/acct/verify.asp
* https: //www.e-gold.com/acct/acct.asp
* https: //www.e-gold.com/acct/balance.asp
* https: //www.e-gold.com/acct/spend.asp
(Note: Object Linking and Embedding (OLE) is a compound document standard that enables a user to create objects with one application and then link or embed them in another application.)
The Trojan runs on Windows 95, 98, ME, NT, 2000, and XP.
You all need to check your computers for the file named gdiwxp.dll. This is the most recent variant of the trojan that I could find and was still popping up in late March. If you have this file on your computer, you are infected with the egold trojan and and you need to get rid of it immediately.
It's not known if the file will show up with a simple file search, it may be a hidden. Use 'Hijack This' to look at registry for the file.
You can download Hijack This for free at:
http://www.download.com/HijackThis/3...-10227353.html
This program is mainly used by people so that they can post a registry log in the tech forums and ask for help. Don't remove anything in your registry unless you know what you are doing. Just look for the file containing gdiwxp.dll.
If you find the trojan on your computer, you can use Security Task Manager to get rid of it.
http://www.neuber.com/taskmanager/
RegRun has this file in their trojan database and can remove it for you.
http://www.greatis.com/appdata/d/g/gdiwxp.dll.htm
Again, DO NOT USE INTERNET EXPLORER!!!!!!
Mozilla Firefox browser download
http://www.mozilla.com/
Additional info:
One of the symptoms that you are infected with this trojan is that you get the wrong turing number page every time you try to log in. On the page you are redirected to, the links at the top of the page will not work.
LinkBack URL
About LinkBacks
View Profile
View Forum Posts
View Forum Threads
Show All Albums
Private Message
Visit Homepage
View Friends
View Blog Entries
E-gold Virus/Trojan!
Bookmarks