Trojan-Spy.HTML.Fraud.gen (Kaspersky Lab)
is also known as:
Phish-BankFraud.eml (McAfee), Trojan Horse (Symantec), TrojanSpy:HTML/UrlSpoof.E* (RAV), HTML_SWENFRAUD.A (Trend Micro), TR/URLSpoof.P (H+BEDV), HTML/URLspoof.B@expl (FRISK), VBS.Trojan.Inor.Z.Spoofer (SOFTWIN), HTML.Phishing.Bank-31 (ClamAV), Exploit/URLSpoof (Panda)
| Detection added |
Nov 23 2004 |
| Description added |
Dec 29 2004 |
| Behavior |
TrojanSpy |
This family of Trojans utilises spoofing technology. The Trojans themselves
are contained in fake HTML pages. Messages, purportedly from banks, financial
institutions, internet stores, software companies etc. are sent to users. These
messages contain a link to the fake page; this link exploits the Frame Spoof
vulnerability in Internet Explorer.
The Frame Spoof vulnerability is present in Internet Explorer v. 5.x and 6.x,
and detailed in Microsoft Security
Bulletin MS04-004. The bulletin also gives recommendations on how to recognise spoofed sites.
Once a user visits the fake site, and enters account details or personal information,
these details will be sent to a malicious remote user, who will then have access
to users' confidential information.
