Avert Labs reports a new fake toolbar you should be aware of.
Upon execution the file .exe displays the eBay toolbar EULA and the installation interface. But, there is a hidden agent which silently opens TCP port 3389 and creates a new account, ”eBayMember”, with Administrator privileges.
The account’s login screen is hidden so you will not notice it, but at that point the computer is owned by the remote attacker.
However, something grabbed my attention during the installation. Besides the 2ebaytoolbarsetup.exe process, the program also created the wscript.exe process and ran .vbs files–that is not common for the toolbar installation. So I looked into every file dropped by the installer. Then something caught my eye…
{ 0 comments… add one now }