Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/Kovter.C and identity theft


  • Please log in to reply
12 replies to this topic

#1 Prolixity

Prolixity

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 26 August 2015 - 04:06 PM

This is my first post.  I hope this is the correct forum for it, I couldn't find any other that seemed appropriate.

I recently had the Win32/Kovter.C Trojan on one of my computers for a short time.  My concern is that I had a file on the computer that had names and phone numbers and some addresses.  According to what I've read the Win32/Kovter.C Trojan is primarily designed to steal personal information from the user such as bank login information and other such.  But I did see some brief phrases that led me to believe that it might search files on the hard drive for the kind of information I have in the file.  The file is a password protected zip file, if that makes any difference.  

My concern is whether the information in the file, there are no birthdays or other sensative information, puts people at much risk for identity theft and how likely it might be that the malware found it and sent it somewhere.  I didn't see anything in my research that said that others might be at risk, i saw lots of statements about the personal data of the computer user being at risk.  

I'm not sure if i should warn people.  I haven't been in touch with many of them for years.

If there is a more appropriate place to discuss this question, please let me know.

Thanks for information and comments.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 27 August 2015 - 12:44 PM

The file just contains names, phone numbers and addresses? No e-mail address, SSN, CCN, ... ?

 

The fact that the file is encrypted can make a big difference.

How good is your password? And do you know which encryption was used? The old ZIP crypto or AES?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Prolixity

Prolixity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 27 August 2015 - 02:11 PM

I may have sent a reply accidentally before it was finished.  

Dier and all
Thanks for your reply.  The are some e-mail addresses.  The file was password protected as a zip file using the Microsoft zip utility.  No other protection was used.  However, I'm afraid the protection may be worthless because I used the password while the Trojan was on the machine.  I imagine it was sent to whomever received information.  

Gene



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 27 August 2015 - 03:54 PM

I don't see what risk the people in the list run, apart from getting SPAM. There's no CCN so no CC fraud; there's  no SSN so no identity fraud.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Prolixity

Prolixity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 August 2015 - 08:55 AM

Thanks for your reply.  While I feel somewhat better, I suspect that the phone numbers and addresses might put people at higher risk of receiving phone phishing calls or perhaps have their mail redirected and that's somewhat troubling.  I gather information such as names with phone numbers and addresses may be sold on the Internet.  Perhaps you or someone knows if I am exaggerating the possibility of such things.  



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 28 August 2015 - 09:29 AM

Thanks for your reply.  While I feel somewhat better, I suspect that the phone numbers and addresses might put people at higher risk of receiving phone phishing calls or perhaps have their mail redirected and that's somewhat troubling.  I gather information such as names with phone numbers and addresses may be sold on the Internet.  Perhaps you or someone knows if I am exaggerating the possibility of such things.  

 

Those phone calls from fake Microsoft support are random calls, AFAIK.

What do you mean with "have their mail redirected"?

 

Such information is sold, but then we talk about large lists, hundred thousands of entries and more.

That is not the case here I assume.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Prolixity

Prolixity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 August 2015 - 10:28 AM

I'll give a few examples and you may be able to determine if I am exaggerating or misunderstanding how such things may be done.

Someone's name and number may be sold on an identity theft site.  The thief may use the information to find out where the person lives and sendd a change of address form to the post office to get physical male that may contain useful information such as credit card bills.  The purchaser may already know roughly where the person lives by the phone number or by where the infected computer is located.

Another example:

The phone number may be used to get the address of the person and increased phishing calls may be made that may be more convincing because the name and address may be used to convince the person the message is legitimate. 

A last example:

If the person's work number is included in the information, perhaps the persons place of employment might be called to try to get information.

I assume that information such as phone numbers has some value since it appears that some malware looks for it.  if I misunderstand or am exaggerating how this works, I'd like to know. 

 

Thanks for your responses.



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 28 August 2015 - 01:55 PM

Like I said, a short, random list of names and phone numbers has no value, it can not be sold.

This is what you have, right?

 

What is the difference with someone going to a website like 411 dot com, typing in a few names and getting names, addresses and phone numbers?

This information is public.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Prolixity

Prolixity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 August 2015 - 03:40 PM

That's what I had thought, that since such information could be so easily looked up, that it had no value.  Then, after I was infected, I started to wonder why phone numbers might be looked for by the Trojan and I started to worry.  I'll probably still worry somewhat for awhile but our discussion has made me much less worried. 

Thanks for the exchange.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 28 August 2015 - 04:43 PM

Where did you get the information that Win32/Kovter.C steals phone numbers?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Prolixity

Prolixity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 28 August 2015 - 06:24 PM

I found the information on a number of sites.  I don't know how reliable the information is.  The sites generally seem not to be those of security companies, at least not known ones.  they seem to be blogs or small sites.  The information is very imprecise but phone numbers are mentioned.  I found a number of the sites again by doing a Google search for Trojan:Win32/Kovter.C phone numbers.

Here are a few of the sites along with a sentence mentioning phone numbers from each.  I believe it is the only mention of phone numbers in each article.

http://computervirusremovalfixer.blogspot.com/2015/06/completely-remove-trojanwin32kovtercreg.html
Trojan:Win32/Kovter.C!reg is also good at stealing your personal information like credit card details, phone number, logins, passwords, credit card and backing account without your awareness.

Further, the virus is looked upon as a good stealer of personal information including; bank account number, credit card information, logins, passwords and phone-numbers.
 

I'll be interested in your assessment.


Edited by Chris Cosgrove, 29 August 2015 - 04:01 AM.
Ambiguous URL removed


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 AM

Posted 29 August 2015 - 04:47 AM

Me too, I don't know how reliable the information is on the site you mention.

 

But if you look on sites like Microsoft, they don't mention phone numbers.


Edited by Didier Stevens, 29 August 2015 - 05:42 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:11 AM

Posted 29 August 2015 - 05:14 AM

Both sites that Prolixity mentioned in his post are dubious malware removal guides designed to fearmonger people into downloading SpyHunter (and who knows what else) so I'd say to stay away from them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users