AVERT labs is documenting a new fake toolbar that is circulating and while it provides legitimate functionality for e-Bay users, it also has a hidden agent that will install a
remote control account with full administrative rights. The bad guys can then secretly logon to the infected PC with full access to any files that might be found there It is a good practice to avoid all toolbars, as they can slow down browser performance. Also some of the toolbars offered, are malware attacks in disguise as in this case.
AVERT Labs - More Than a Toolbarhttp://www.avertlabs.com/research/bl...han-a-toolbar/QUOTE: We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.
This file
silently opens TCP port 3389, which is by default the port for Terminal Services. It
creates a new account ”eBayMember” with Administrator privileges and enables this account to remotely access the infected machine. The
created account is also hidden from login screen, to prevent the victim from noticing.
Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below.
A successful login suggests the infected machine could be completely controlled by a remote attacker.