Security firm Sophos is warning PC users of a Trojan horse that has been spammed out, claiming to be a notification that an Apple iPod has been shipped to them, and their account has been charged almost $500. The emails claim that the music player is being shipped via FedEx and that a payment of $479.95 has been received from the recipient’s e-gold account. Attached to the emails is a file called OrderInf.zip, which unpacks to OrderInfo.exe. Executing this file infects the user’s computer with the Dowdec-A Trojan horse that attempts to download further malicious code from the internet. Below is a copy of the email message.  

Dear ,
Please read the following message carefully. We notify that your order was approved and shipped to you via FedEx 2Day Service, track 792531968828.
The amount of $479.95 USD was recieved from your e-gold account.
The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file.
Read it carefully to make sure that there’s no mistakes in characteristics of chosen product.
We appreciate your choice!
According to the rules, refund must be based on your original method of payment. Any requests to refund using e-gold are not accepted, if the payment method was credit card. IPod For Your, Yahoo Shopping

Trojan Backdoor us15info is a Trojan which runs in the background. It collects information about your computer and DNS packet. Once collected, this information can be sent to a destination specified by the author. 

Web browser extensions have been popular tools for a while now. However, as with almost anything technological, there is a dark side to this. Spyware and malware authors are busy creating malicious browser extensions and disguising them as legitimate. A trojan known as FormSpy targeting Mozilla Firefox has been spammed as an e-mail attachment that pretends to be from a legitimate source. When the attachment is opened, it installs a Mozilla Firefox extension known as “NumberedLinks 0.9.” Unlike the real NumberedLinks 0.9, which is an open-source Firefox extension that allows web navigation by unique numbers attached to web page links, this doppleganger instead silently downloads a suite of keylogger applications that spend their time looking for credit card numbers, PIN numbers, passwords, and other user data from web, ICQ, FTP, IMAP, and POP3 traffic. This information is then sent back to the spammer’s web site. Extensions aren’t the only things being spoofed. Users are being sent an email telling them to download the newest Google Toolbar. Upon clicking the link, the user is sent to a fake web page that looks exactly like the real Google Toolbar download site. However, the download link on this site is actually a trojan. 

As always, practicing skeptical computing is a must. If you see any new toolbar or browser extensions, make sure that you download it from the official web site, rather than from a link in an e-mail or instant message. Skeptical computing isn’t just a philosophy, it should be a way of life. 

Trojan Downloader Aux is a downloader infecting the system32 file that downloads other threats designated by the author onto your computer. This is currently the 10^th biggest threat in the world. 

2^nd thought is an adware Trojan that displays advertisements and may download other threats to your computer. It is also known to download a toolbar which redirects your searches. It automatically downloads when going to 2^nd-thought.com.  

Trojan Backdoor SecureMulti is a Trojan horse that may allow a hacker to gain unrestricted access to your computer when you are online. This backdoor trojan is commonly picked up through clicking on a link. 

Trojan Downloader Ruin is a downloader that may download other threats on your computer. This trojan downloader may also change your DNS server addresses or hostfile localhost entry. Currently, it is the sixth biggest threat in the world.

Trojan Agent Winlogonhook is a backdoor agent that may allow a hacker to gain unrestricted access to your computer when you are online without your knowledge of it. 

Trojan Downloader WStart is a downloader that may downloads and other threats.

The exp/wmf-a is a trojan horse that is used to exploit a flaw in Microsoft Windows Internet Explorer.  Through this flaw, programs can be silently installed on your computer for purposes such as downloading adware programs, spyware or any other types of programs used to exploit for your computer. 

This trojan horse has gotten some attention since the recent situation over at Myspace where it was discovered that a company advertising on the Myspace site was attempting to use this exploit when users clicked on the banner ad.

If you are not sure if you have this patch installed on your computer, you can find the security patch on the Microsoft site.

Trojan Downloader Matcash is a downloader that may download other threats on your computer. Commonly it occurs in a pop-up which downloads the trojan from media.matcash.com. Currently this is the third top threat in the world.

p2pnetwork is a Trojan horse that may allow a hacker to gain unrestricted access to your computer when you are online through a p2p network. This trojan is the second biggest threat in the world. 

Trojan Downloader-Zlob is a downloader that may download other threats on your computer. A trojan downloader is a tool that downloads trojans onto a computer. This trojan threat is currently the top threat in the world.  

Trojan Horse infection rates are on the rise. From the fourth quarter of 2005 to the end of the first quarter in 2006, infection rates are up 29%. The most common of these Trojan Horses was the Trojan-Downloader-Zlob (TDzlb1). The instances of this Trojan more than doubled from 3.2% to 6.7% from Q4 2005 to Q1 2006.

W97M/Kukudro.A is a macro based Trojan dropper for Microsoft Word. The Trojan arrives in .zip archive via an e-mail attachment that contains the Word document “my_Notebook.doc”. When this word document is opened on a victim machine, the macro silently executes and extracts an executable file (666inse_1.exe). It then executes 666inse_1.exe (which we detect as W32/Sality.U).