-- UpdateApril 6, 2004 --
Another mass seeding of this trojan has recently occured. Detection requires the 4349 DAT files. The details of the email message sent is as follows:
"Brian Spencer" email@example.com
We are sorry to report that your bank account has been temporarily closed cause of explicit fraud activity. We are about to report to the police about this incident and they.ll carefully investigate this matter. If you.ll be found guilty, your can be charged up to $57,183. You can find all the details about this incident in the attached file and if you still have any questions until the police start investigation, please contact us as soon as possible. Sir, fraud activity is prohibited by the US legislation and you must note down that from now on your every step is being carefully traced down. So if you don.t want any other incidents to take place, wait for the end of this investigation or contact us. You can find our email and phone number in the attached file(password - MarH3Jl4).
Faithfully yours, Brian Spencer (Chief Manager)
-- Update December 30, 2003 --
AVERT has received damaged (truncated) copies of this trojan that have been spammed out. Detection for these files as Downloader-DI.dam
will be included in the 4313 DAT files. Please note that these files are damaged and cannot run. The email messages should be deleted.
Details of the spammed message are included below
. The following subject line and attachment name can be used for blocking such messages:
antikeylog2004.exe (2,720 bytes)
Intentions of Trojan
Multiple versions of this trojan exist. They are known to have been spammed out to users by email. Users are recommended to use the latest engine/DATs for optimal detection.
When run, it connects to the hacker's site to download a remote file. This remote file is a backdoor trojan, detected as BackDoor-AXJ
Spammed email messages with various characteristics have been reported. For example:
Re: Your credit application
Thank you for your online application for a Home Equity Loan.
In order to be approved for any loan application we pull your
Credit Profile and Chexsystems information, which didn't satisfy
our minimum needs. Consequently, we regret to say that we cannot
approve you for Home Equity Loan at this time.
*Attached are copy of your Credit Profile and Your Application that
you submitted with us. Please take a close look at it, you will receive
hard copy by mail withing next few days.
Wells Fargo Accounting
Re: Wells Fargo Bank New Business Account Application - ID# 4489
Thank you for your online application for a Business Account with Wells Fargo. We appreciate your interest in banking with us.
In order to open a Business Account, we must receive specific credit information that is verifiable. Because Wells Fargo has no locations in your state, we are unable to confirm the credit information in your application. Consequently, we regret to say that we cannot open an account for your business at this time.
Attached are your Wells Fargo Application and your Social Security File.
Business Resource Center Services
Wells Fargo Bank
Re: Your credit application
Thank you for your online application for a Citibank Home Equity Loan.
In order to be approved for any loan application we pull your Credit Profile and Chexsystems information, which didn't satisfy our minimum needs.
Consequently, we regret to say that we cannot approve you for Citibank Home Equity Loan at this time.
*Attached are copy of your Credit Profile and Your Application that you submitted with us. Please take a close look at it, you will receive hard copy by mail withing next few days.
E-Loan Consumer Department
Re: Your E-Loan Refinance Application Declined
Thank you for your recent online Refinance Application with E-Loan Inc.
Apparently you have moved from your current home address a couple of months ago, so we coulnd't verify your identity with Credit Bureaus and Chexsystems.
We are sorry for any inconvenience.
Attached are scanned copies of your Home Value, Grant Deeds and your current Credit Profile from 3 major Credit Bureaus. Take a close look at it, as you will receive hard copies by usps mail in few days.
The recent spamming (Dec 31st 2003, bearing the corrupt attachment) uses messages constructed as follows:
Admin@(insert name of bank).com
The security of your personal and account information is extremely important to us. By practicing good security habits, you can help us ensure that your private information is protected.
Please install our special software, that will remove all the keyloggers and backdoors from your computer.
And will help us to prevent credit card fraud in future.
(insert name of bank)