A file circulating around the Net may actually be a compressed executable Trojan horse that gives access to all events and properties of an Internet browsing session, and may be trying to get secure access to a number of banking and other financial Websites, according to an Internet Storm Center report earlier this week.
The ISC said the file, img1big.gif, is a Win32 executable compressed with the UPX open-source executable compressor. It is said to decompress into a pair of Win32 executables bound together, with the first portion being the file-dropping Trojan and the second a Win32 .dll dropped into Windows XP, under C:\\WINDOWS\\System32, as a randomly named .dll and a browser-helper object under Internet Explorer, the ISC added.
The ISC said the bug was first reported June 24. It apparently targeted bank and finance sites, including Citibank, St. George's Bank, National, WestPac, Barclays Bank, and others.
"When [IE version 4 and] higher starts," the ISC advisory said, "it reads the registry to locate installed BHOs and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session."
Once the secure access is made, the ISC added, the BHO grabs any outbound post/get data from within IE before it becomes encrypted, creating an outbound http connection to www.refestld.com/cgi-bin/yes.pl and feeds the data captured to a script at that location.
If you're concerned about BHOs on your system, you can scan for and disable them at your choice with a freeware program known as BHO Demon.
