Home / malware TrojanSpy:JS/Paylap.B
First posted on 19 June 2012.
Source: MicrosoftAliases :
TrojanSpy:JS/Paylap.B is also known as PWS:HTML/Phish.X (other), JS/Phish (AVG), Mal/Phish-A (Sophos).
Explanation :
TrojanSpy:JS/Paylap.B is detection for JavaScript within a webpage that can imitate the logon for the financial site PayPal and steal your login details.
Installation
This trojan is encountered when browsing to a webpage that hosts the JavaScript. When viewed, Paylap displays a request for information, such as the following:
If you enter details and click "Agree and submit", the details are submitted to one of many servers for collection by an attacker. We observed the following to be a (non-comprehensive) list of servers used to collect your sensitive information:
Additional information
- testsite.sircon.net/wordpress/wp-content/themes/markedet-mobil/<deleted>.php
- connectonlive.x10.mx/<deleted>.php
- easycoway.com/<deleted>.php
- easyss-go.com/<deleted>.php
- chasecleaningservice.com/images/<deleted>.php
- 12.33.205.226/<deleted>.php
- easyback-go.com/<deleted>.php
- paypal.co.uk.restore-your-account39481272121.clientforums2012.com/<deleted>.php
- pwip.org/<deleted>.php
- uichangfc.com/bbs/skin/ggambo7002_board/config/<deleted>.php
- sportromanesc.ro/wp-content/plugins/akismet/<deleted>.php
- giftflight.com/cp/Scripts/images/<deleted>.php
- lss.org/<deleted>.php
- 188.93.19.198/.co.uk/<deleted>.php
- easyvv-go.com/<deleted>.php
- 82.194.8.62/<deleted>.php
- scopri-nuovacampagna.com/<deleted>.php
- gicagicamica.com/<deleted>.php
- 91.147.160.169/<deleted>.php
- 93.95.216.139/comunica/movie/silvia/<deleted>.php
- 58.64.174.133/bill/xml/<deleted>.php
- selected-customers.com/<deleted>.php
- uichangfc.com/bbs/skin/ggambo7002_board/config/<deleted>.php
- easygo-hoe.com/<deleted>.php
PayPal is an online site used to buy and sell goods and services. Each PayPal account uses a funding source such as your bank account or credit card.
Analysis by Hyun Choi
Last update 19 June 2012
