Heads up: Fake E-Gold security update

[SirDice]

I received the following message today:

Dear E-gold payment system users!

The recent cases of fraud, unauthorized withdrawal of cash from our clients' accounts and recurred attempts of hackers to access our server forced us to implement a new security system. The special program will ensure safe connection of your computer to our server by means of a unique encoded key, specially generated for each account. Only the combination of your login, password and the key will allow you to access the system. The program is enclosed to the message and doesn't need any installation. By one click you will be connected to the server and the program will generate the key. After that you will enter your account from Internet Explorer, which is absolutely safe. You will be signed out of the program automatically after closing the window. See the detailed operational instruction enclosed to the program.

We have to warn you, that if you want to be the user of our system in future, you'll have to accept our rules and to use this program. Otherwise please call the numbers below to withdraw your funds. For the detailed information please enter our site or use our hot line to contact us by phone.

Our Contacts:
+1(212) 203-4034
+1(212) 561-5041
+1(212) 561-5074
+1(212) 920-2092

Best regards, E-Gold.com

Attached was a SecurityEgold.rar which contained a SecurityEgold.exe. The senders email address was E-Gold <SecurityEgold_donotreply@e-gold.com>. The real sender however was an ip address in Korea...

None of my virusscanners picked up on it. I've already submitted it. Noone recognised it.

I'll keep you posted if I learn some more....

[SirDice]

The executable is UPX packed. Unfortunately it seems corrupted (the rar file unpacked without problems). I get a checksum error during upx decompress. Is there a way to force decompression? I'd like to see what's in there...

[SirDice]

A.V.E.R.T. identified it as PWS-Banker.k.dr.

PWS-Banker is a password stealing trojan.
http://vil.nai.com/vil/content/v_124984.htm

So it looks like a new variant. Brilliant

[Outer_Heaven]

I don't know if this will help any or not, but I googled the senders email address that you provided, and I got only one hit to this one website called AKBK home-Spam Manager. I don't understand all the information it provided, but it did have an one IP address and a name that I recognized as being Korean, a Mr. Yung Jun, which is only the first and middle name, a fairly common name there (I lived in Korea for 6 months, training with ROK Marines). I searched the IP address here, on AO, and it said it was located in "Paris, Ile-de-france (region), France.

Again, I don't know if this will be of any help to you or not, or what the information was telling me on that website, but I tried to do what I could to help you out.

Here is the link to the information I found:

http://www.akbkhome.com/spam.php


and if that doesn't work, for some reason, I haven't tried it myself, here is the link to that website that google gave me:

http://www.google.com/search?hl=en&q...=Google+Search


But that AKBK website from what I could make of it, said that IP address was used as recently as today

[Outer_Heaven]

[quote]but I tried to do what I could to help you out[\quote]

edit: I did what I could do to find out any information I could for you