Wednesday, September 27, 2006

E-gold Trojan Alert

Here is a quote posted by an user on GoldenTalk. I thought it might be a good alert to many users of the HYIP investors. See post:
Just a heads up: Pulled this off another site and thought it night be useful for all to be aware of.

Posted: Mon Sep 25th, 2006 01:59 am

Quote
Reply
Hi All,
Just found this post from this member of MMG with regards to E-Gold and I wanted to share this with you for your security!! If this has happened to you, please follow his instructions for removal. If it hasn't, GOOD and beware and be careful!

"My e-gold account balance has been wiped out by a trojan."

Symptoms:
Every time I log in to my e-gold account via Internet Explorer my e-gold balance is wiped out and it shows 0.00
When I login wia Firefox it is NOT emptied.
I got this bug around 11.sep simply by visiting a website (a hyip site I think) and NOT from email atachment or phishing email. My e-gold or email was not hacked, but the script worked automatically behind my shoulders and made a un-authorized transaction using my login and IP address. The transaction was immidiate upon login, and to different e-gold accounts all with names of hyipsites. First time I lost $430 fortunaetly I had money out "on work" the other transactions were small because I removed money via Firefox to my other account, while testing.

I have tried many trojan scanners and antivirus programs during the last 4 days in trying to remove it: Kaspersky, panda, pc-cillin, ad-aware, spybot, trojan remover, trojanhunter, vundofix, ewido, webroot Spy Sweeper, antitrojan elite,
After each scan and removal of suspicious things, I made test logins to my e-gold, with small balances of $1-2 and everytime I log in via IE the account is emptied.
First today I was able to locate a Goldun trojan with Kaspersky antivirus and I deleted the trojans named Trojan-Spy.Win32.Goldun with two different extensions: .mn and .mm. I scanned with Kaspersky earlier this week but didnt find anything. These trojans were installed 11.sep, 1 minut apart.
According to http://www.viruslist.com/en/viruses/...virusid=135074 this trojan version was detected 14th.sep. I believe they were just added to Kaspersky antivirus

They seem to be new variants of Goldun Trojan which is:
"Trojan that targets "e-gold" but doesn't launch an attack until the authentication process has been monitored and completed, as e-gold uses a number of security measures, such as limiting account access to an individual IP address and the use of one-time passphrases"

About Goldun and other trojans that clean out your e-gold account:
http://www.lurhq.com/grams.html
https://financialcryptography.com/mt...es/000677.html
http://www.sarc.com/avcenter/venc/da...an.goldun.html
http://www.pcpro.co.uk/news/84884/in...r-hackers.html

Here is what I found on my computer. After removing these I could login to my e-gold via IE without getting the balance zero'ed. (from now on I only use firefox for all e-gold transactions )

1) Trojan-Spy.Win32.Goldun.mm
location
C:\Documents and Settings\"USER"\Local Settings\Temp\svchost./NPack

2) trojan-spy.Win32.Goldun.mn
location
C:\Documents and Settings\"USER"\Local Settings\Temp\f98er24s8u.dll
C:\Documents and Settings\"USER"\Local Settings\Temp\f98er24s8u.dll/PE_Patch.UPX/UPX
C:\Winnt/system32/msvcrl.dll/NSPack

(C:\Winnt/ might be Windows/ for others. I use win2000)

-----------

Although it is my computer that has been infected, therefore a leak in my security, once infected the trojans use a security leak in the e-gold system. It should not be possible to run a hidden script and make an un-authorized transaction behind my shoulder and just in front of my eyes. It happens so quicky that in the moment you login and click "balance" the hidden transaction has already been done and you are zero'ed.
This is not hacking, nobody has stolen my password or login to my account. I do the login and from my IP address, then this trojan starts to work and make the transaction as if I did it myself.
Why isnt is required (or at least optional) to put in a turing number to manually confirm a transaction ??

The e-gold company always try to blame account holders for beeing hacked and having poor security, clicking emails, however I think e-gold should look at their own security and update it.
These trojans are not hacking and when they are not recognized by good and popular antivirus/antitrojan programs then it is very difficult for account holders to avoid beeing rooped.
These trojans can download simply by visiting a website and all surfers do that. I am sure I didnt get it from an email, I got it from visiting a hyip site (dont know which).

The thieves that stole my e-gold were:
e-gold: 2868405 10hourlyfunds.com
e-gold: 2692644 Sincere Hyip (2 times)
e-gold: 2743976 Soulhyip
e-gold: 284442 Hexer011


regards

PS

* Use firefox for all e-gold related work including surfing and visiting hyip sites = environment that uses e-gold a lot. These sites can have malign code and the sites in rotation in surf programs can certainly have bad code you can pick up.

re: e-gold account.
* Enable AccSent (IP sensitive setting)
* use the SRK tool for typing your password.
* Use a password different from other passwords (If you use the same password for both HYIPs and your EG account, some admins may take advantage of that.).
* Use a unique email address.
* Never click on links in "e-gold" emails.
* Bookmark the e-gold login address.
* Dont keep too much in balance. Get a 2nd e-gold "storage" account to keep most of your money while your 1st. account is your daily working account for "spends"
* Use a good antivirus/antitrojan/firewall program
* Keep your OS system updated and get the newest Java sun

more info on trojans and other malware: http://forums.spywareinfo.com

No comments: