Other Info: e-gold Scam

The spammed email arrives with the following details.

From: E-gold {spoofed}
To: {recepient’s email address}
Subject: E-gold security connect
Attachments: Connect.zip (33 KB)
Body:
————————————————–
* * * Read/Save/Print this email message * * *
————————————————–

Dear e-gold payment system user,

The recent cases of fraud, unauthorized withdrawal of cash from our clients’ accounts and recurred attempts of hackers to access our server forced us to implement a new security system. The special program will ensure safe connection of your computer to our server by means of a unique encoded key, specially generated for each account. Only the combination of your login, password and the key will allow you to access the system. The program is enclosed to the message and doesn’t need any installation. By one click you will be connected to the server and the program will generate the key. After that you will enter your account from Internet Explorer, which is absolutely safe. You will be signed out of the program automatically after closing the window. See the detailed operational instruction enclosed to the program.

We have to warn you, that if you want to be the user of our system in future, you’ll have to accept our rules and to use this program. Otherwise please call the numbers below to withdraw your funds. For the detailed information please enter our site or use our hot line to contact us by phone.

Our Contacts:

Phone (Worldwide) +1 321-957-1200
FAX (Worldwide) +1 321-952-0790

———————————————
Thank you for using e-gold!
———————————————

Analysis
The attachment Connect.zip contains an executable file named connect.exe which we now detect as TSPY_GOLDUN.AN.

When the unsuspecting user executes the attachment, a dialog box will appear. But, that is not just it! As soon as the unsuspecting user sees the dialog box, the following behind-the-scene malicious activities of the attachment had taken place!



  • Drops and executes a temporary file in the Windows Temporary folder named xcqwdhe.exe.

    • Drops the file “mside.dll” in the Windows System directory.

      • This is the actual component that checks the web site address, the user is currently browsing to and activates its keylogging capabilty when it matches the following web sites.

        • https://www.e-gold.com/acct/balance.asp
        • https://www.e-gold.com/acct/acct.asp

    • Adds the registry entry
      HKEY_CLASSES_ROOTCLSID{13146842-6251-5625-3072-548536364311} and other subkeys
    • Adds the registry entry
      HKEY_LOCAL_MACHINESOFTWAREClassesCLSID {13146842-6251-5625-3072-548536364311} and other subkeys
    • Adds the registry entry
      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion ExplorerBrowser Helper Objects{13146842-6251-5625-3072-548536364311}

  • Deletes the temporary file xcqwdhe.exe by creating and spawning a batch file that deletes itself as well in the end.
  • Then, finally the long been waiting dialog box will appear as if nothing ‘malicious’ has happend!

This will happen just within a blink of an eye and an average user would think that it is still smooth sailing, eh.:(

The registry entries above and other subkeys just enables the “mside.dll” module to be attached to every instance of IE browser in effect, it installs a Browser Helper Object. Now, that’s where its malicious work gets started, every time you run your favorite browser!

The Connect and Continue buttons of the dialog box will connect you to
https://www.e-gold.com/acct/login.html and exits the dialog box, respectively. The url where you will be connected is legitimate but remember, it is in your browser that do tricks!

One workaround to avoid future incident like this is to change your browser since, BHO is only for IE! Another would be to keep your antivirus pattern files updated and the most handy workaround for this kind of incident is basic security awareness! Cheers!