Trojan.Kardphisher is a Trojan horse program that deactivates genuine and previously activated copies of Windows following the infection. Security Company Symantec has warned on the spreading of Trojan.Kardphisher, and revealed that the malicious program is not a technical masterpiece, but that it is focused on social engineering techniques. The catch is that the malicious code does not actually deactivate genuine copies of Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP, either activated or not.
After compromising a system, the malware becomes active with the first Windows boot and displays a message with the title "Microsoft piracy control" just as in the adjacent image. The Trojan informs the users that their copy was activated by another person and asks them to repeat the activation process.
It is obvious that the author of this social engineering scheme has gone to great lengths in order to make the attack look and feel as legitimate as possible, but still there are some loopholes that point to a fake. First off, Microsoft generally avoids using the term "piracy" in direct contact with Windows users, Genuine Software Initiative gives a clue as to the policies applied by the Redmond Company. And Windows Genuine Advantage is the mechanism that governs over Microsoft's detections of non-genuine copies of the operating system. Trojan.Kardphisher additionally asks for the users' billing details and offers only the possibility of activating Windows over the Internet.
"You can only choose Yes or No. You can't run Task Manager or any other applications. If you choose No your PC will be shut down immediately," said Takashi Katsuki, Symantec Security response Engineer. Choosing the Yes option will take the users to the screen captured in the image at the bottom where they will be asked for their credit card details.
"Now you may think "It can't be true. I have activated my legitimate copy of Windows. MS can't do such a thing!". Surely almost everyone will notice that something strange is going on, and hopefully very few people will actually become victims by inputting their credit card details. But unfortunately even the people who are not tempted to give up their information this time might well become victims the next time. After all, failure to follow the on-screen instructions results in your PC shutting down immediately," Katsuki added.
Trojan Horse Deactivates Genuine Windows Copies!
... so hot right now