Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical – it’s really just another classic social-engineering attack. What makes it interesting is that the author has obviously taken great pains to make it appear legitimate.

When you restart your PC after the Trojan is installed, this window appears:

You can only choose only Yes or No. You can’t run Task Manager or any other applications. If you choose No your PC will be shut down immediately. If you choose Yes you’ll see this image:

Now you may think “It can’t be true. I have activated my legitimate copy of Windows. MS can’t do such a thing!”. Surely almost everyone will notice that something strange is going on, and hopefully very few people will actually become victims by inputting their credit card details. But unfortunately even the people who are not tempted to give up their information this time might well become victims the next time. After all, failure to follow the on-screen instructions results in your PC shutting down immediately.

continued @ Security Response Weblog