Date: 02 August 2006
References: AU-2006.0019 AU-2006.0022
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
A U S C E R T A L E R T
AL-2006.0049 -- AUSCERT ALERT
Malicious "National Bank bankrupt" email links to sites
targeting multiple web browsers
15 June 2006
AusCERT Alert Summary
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
A new malicious email with subject line "National Bank goes bankrupt?!"
is currently in circulation, offering a link to a web page for
further information. Any users visiting this web page will be targeted
with exploits for both Internet Explorer and Firefox, in order to
automatically install trojan software on the user's computer.
As with previous malicious sites, simply visiting the page with a
vulnerable web browser is sufficient to infect the computer.
The malware installed is a Haxdoor variant that is currently
not detected by most antivirus products.
This trojan is expected to steal personal data and in particular
online banking passwords.
Users should always avoid clicking on any links in emails, unless
the email was already expected.
Many current email viewers have stricter policies on web access than
web browsers, and enticing users to follow a link outside an email
and onto the web through a browser is a common way for attackers to
install malicious code onto a machine. [2, 3, 4]
System administrators may consider configuring web proxy servers or
firewalls to block HTTP connections to the sites listed below and to
files named "ie0606.cgi" or scripts with parameters such as:
Checking proxy logs for those URLs will also help in revealing which
client computers may have been affected.
Email that matches the description below can also be blocked at
The malicious email is plain text with the following content:
Subject: National Bank goes bankrupt?!
with body text:
People starting panic withdrawals, some of the accounts were reported
closed due to technical reasons, many ATMs are not operating.
Does it seem that one of the Australia's greatest goes bankrupt?
The full story could be found here: http://[MALICIOUS DOMAIN]/news.php
Well, hope that isn't true... Anyway You'd rather check your balance...
The URLs observed so far hosting the malicious page are as follows:
h**p://www,suriko,net/news.php (now down)
The final trojan is downloaded from domain www,powwowtowel,com.
(Here URLs have been modified such that 'http' becomes 'h**p' and
all periods within a URL have been replaced with commas.)
On infected computers the following files are created and most of these
are then hidden by the trojan:
 Protecting Your Computer from Malicious Code
 AusCERT Alert AL-2006.0040 - Yahoo Greeting Card trojan targets multiple web browsers
 AusCERT Alert AL-2006.0013 - Valentine's Day 'eCard' trojan
 AusCERT Alert AL-2006.0022 - 'Online Greeting Card' trojan
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----