Symantec is reporting on a Trojan horse that mimics the Windows activation interface.
What they are calling Trojan.Kardphisher doesnt do most of the technical things that Trojan horses usually do; its a pure social engineering attack, aimed at stealing credit card information. In a sense, its a standalone phishing program.
Once you reboot your PC after running the program, the program asks you to activate your copy of Windows and, while it assures you that you will not be charged, it asks for credit card information. If you dont enter the credit card information it shuts down the PC. The Trojan also disables Task Manager, making it more difficult to shut down..
Running on the first reboot is clever. It inherently makes the process look more like its coming from Windows itself, and it removes the temporal connection to running the Trojan horse. The program even runs on versions of Windows prior to XP, which did not require activation.
This is not an attack that will sneak by you. The executable is nearly 1MB large. But if you find yourself in this situation you should be able to disable it in Windows Safe mode by removing the registry keys described in the Symantec writeup and deleting the program it points to. Updated antivirus software should also be able to remove it.
Neil Rubenking also wrote about this issue for AppScout.com.
Recent Security Watch Posts: