Wachovia Link

If you have received an email with a confusedly long link for a supposed Wachovia site that looks like http://commercial.wachovia.online.financial.business….cashman766.com/Service.htm, delete it. It seems that users in Great Britain are receiving these messages. That page will serve up file “wachovia_certificatev102.exe”. When run, you do not install certificates new to Wachovia.

Instead, this trojan downloads “cb_1.exe” and runs it, installing multiple password stealing and rootkit components that are not new (but this version of the fraudulent scheme is new). The components, including 9129837.exe (Spyware.Papras) and new_drv.sys (Rootkit.Agent.ex) will steal all web form input (from any and all banks, for example), most any other stored passwords on the system, and send the data off to a server hosted in Singapore.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>