wolfus

Just a heads up: Pulled this off another site and thought it night be useful for all to be aware of.



Posted: Mon Sep 25th, 2006 01:59 am

Quote
Reply
Hi All,
Just found this post from this member of MMG with regards to E-Gold and I wanted to share this with you for your security!! If this has happened to you, please follow his instructions for removal. If it hasn't, GOOD and beware and be careful!

"My e-gold account balance has been wiped out by a trojan."

Symptoms:
Every time I log in to my e-gold account via Internet Explorer my e-gold balance is wiped out and it shows 0.00
When I login wia Firefox it is NOT emptied.
I got this bug around 11.sep simply by visiting a website (a hyip site I think) and NOT from email atachment or phishing email. My e-gold or email was not hacked, but the script worked automatically behind my shoulders and made a un-authorized transaction using my login and IP address. The transaction was immidiate upon login, and to different e-gold accounts all with names of hyipsites. First time I lost $430 fortunaetly I had money out "on work" the other transactions were small because I removed money via Firefox to my other account, while testing.

I have tried many trojan scanners and antivirus programs during the last 4 days in trying to remove it: Kaspersky, panda, pc-cillin, ad-aware, spybot, trojan remover, trojanhunter, vundofix, ewido, webroot Spy Sweeper, antitrojan elite,
After each scan and removal of suspicious things, I made test logins to my e-gold, with small balances of $1-2 and everytime I log in via IE the account is emptied.
First today I was able to locate a Goldun trojan with Kaspersky antivirus and I deleted the trojans named Trojan-Spy.Win32.Goldun with two different extensions: .mn and .mm. I scanned with Kaspersky earlier this week but didnt find anything. These trojans were installed 11.sep, 1 minut apart.
According to http://www.viruslist.com/en/viruses/...virusid=135074 this trojan version was detected 14th.sep. I believe they were just added to Kaspersky antivirus

They seem to be new variants of Goldun Trojan which is:
"Trojan that targets "e-gold" but doesn't launch an attack until the authentication process has been monitored and completed, as e-gold uses a number of security measures, such as limiting account access to an individual IP address and the use of one-time passphrases"

About Goldun and other trojans that clean out your e-gold account:
http://www.lurhq.com/grams.html
https://financialcryptography.com/mt...es/000677.html
http://www.sarc.com/avcenter/venc/da...an.goldun.html
http://www.pcpro.co.uk/news/84884/in...r-hackers.html

Here is what I found on my computer. After removing these I could login to my e-gold via IE without getting the balance zero'ed. (from now on I only use firefox for all e-gold transactions )

1) Trojan-Spy.Win32.Goldun.mm
location
C:\Documents and Settings\"USER"\Local Settings\Temp\svchost./NPack

2) trojan-spy.Win32.Goldun.mn
location
C:\Documents and Settings\"USER"\Local Settings\Temp\f98er24s8u.dll
C:\Documents and Settings\"USER"\Local Settings\Temp\f98er24s8u.dll/PE_Patch.UPX/UPX
C:\Winnt/system32/msvcrl.dll/NSPack

(C:\Winnt/ might be Windows/ for others. I use win2000)

-----------

Although it is my computer that has been infected, therefore a leak in my security, once infected the trojans use a security leak in the e-gold system. It should not be possible to run a hidden script and make an un-authorized transaction behind my shoulder and just in front of my eyes. It happens so quicky that in the moment you login and click "balance" the hidden transaction has already been done and you are zero'ed.
This is not hacking, nobody has stolen my password or login to my account. I do the login and from my IP address, then this trojan starts to work and make the transaction as if I did it myself.
Why isnt is required (or at least optional) to put in a turing number to manually confirm a transaction ??

The e-gold company always try to blame account holders for beeing hacked and having poor security, clicking emails, however I think e-gold should look at their own security and update it.
These trojans are not hacking and when they are not recognized by good and popular antivirus/antitrojan programs then it is very difficult for account holders to avoid beeing rooped.
These trojans can download simply by visiting a website and all surfers do that. I am sure I didnt get it from an email, I got it from visiting a hyip site (dont know which).

The thieves that stole my e-gold were:
e-gold: 2868405 10hourlyfunds.com
e-gold: 2692644 Sincere Hyip (2 times)
e-gold: 2743976 Soulhyip
e-gold: 284442 Hexer011


regards

PS

* Use firefox for all e-gold related work including surfing and visiting hyip sites = environment that uses e-gold a lot. These sites can have malign code and the sites in rotation in surf programs can certainly have bad code you can pick up.

re: e-gold account.
* Enable AccSent (IP sensitive setting)
* use the SRK tool for typing your password.
* Use a password different from other passwords (If you use the same password for both HYIPs and your EG account, some admins may take advantage of that.).
* Use a unique email address.
* Never click on links in "e-gold" emails.
* Bookmark the e-gold login address.
* Dont keep too much in balance. Get a 2nd e-gold "storage" account to keep most of your money while your 1st. account is your daily working account for "spends"
* Use a good antivirus/antitrojan/firewall program
* Keep your OS system updated and get the newest Java sun

more info on trojans and other malware: http://forums.spywareinfo.com

Gintoh

Thanks a lot, wolfus. Now, that's another reason to be wary when surfing...

ollys123

thanks wolfus had just read it myself elsewhere and its good that you took the time to make people aware. saved me a job lol

jr2000

OH MY GOSH i really hope that doesn't happen to me!! i would just be so freakin pissed off!! thanks a million for that post.. i guess ill be logging off the net and scanning my pc now!... And oh ya does anyone know why firefox doesnt get affected by these nasty trojans and IE does.... makes you wonder

Truly

there r more trojans these days and many eg accts compromised!

try to install a good firewall, and use other browsers than IE.

Doommister

The thieves that stole my e-gold were:
e-gold: 2868405 10hourlyfunds.com
e-gold: 2692644 Sincere Hyip (2 times)
e-gold: 2743976 Soulhyip
e-gold: 284442 Hexer011


wolfus, did you ever join the hyip ?

jambutty

Thanks for the heads up wolfus.

However I would argue with one of your security suggestions.

DO NOT BOOKMARK THE E-GOLD URL.

Some time ago I found that my bookmarked URL of E-Gold had been hijacked so that when you logged in you got taken to the real E-Gold site but straight to your ‘Balance’ page rather than the page that displays your Sentinel Settings, which had been re-set to minimum. At that time if you re-set your Sentinel Settings back to what they were right away all was OK and your money was safe. My various anti this, that and the other defences spotted the hijack bookmarked URL and deleted the URL but they have never found what does the actual hijacking although I have had several possibilities:
0.exe
fiks.exe
w.exe
cpu.exe
gdiwxp.dll
gdiw2k.sys
mhh.exe

In each case I have replaced the file with a simple text file of the same name and made it ‘READ ONLY’ to prevent it from being overwritten by the real file.

Maybe someone has improved on the URL hijacker?

So for months now I have not had E-Gold bookmarked – working on the principle that if there was no bookmarked URL it cannot be hijacked. I’ve just been to my E-Gold account and all is well.

AND I USE INTERNET EXPLORER. Apart from Crazy Browser, which is basically IE anyway, I have never used anything else.

e-gold: 2868405 10hourlyfunds.com - Incoming Spends Blocked
e-gold: 2692644 Sincere Hyip (2 times) - Incoming Spends Blocked
e-gold: 2743976 Soulhyip - Incoming Spends Blocked
e-gold: 284442 Hexer011 is now registered to (Michael’s Pot of Gold)

wolfus

No I have not.

Cheers,