McAfee > Theat Center > Virus Detail Page

Overview

-- Update July 2, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/hardware/?p=574

Phish-BuyPhony is a Internet Explorer Browser Helper Object (BHO) maliciously designed to hijack well known websites to steal money by masquerading Apple's iPhone on-line shop. When successful, the victim is brought to a fake site where payment is made to the crooks via Western Union or MoneyGram.

Aliases

• Aifone.A (Panda)

• TSPY_AYFONY.A (TrendMicro)

Characteristics

-- Update July 2, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/hardware/?p=574

Phish-BuyPhony is a Internet Explorer Browser Helper Object (BHO) maliciously designed to hijack well known websites to steal money by masquerading Apple's iPhone on-line shop. When successful, the victim is brought to a fake site where payment is made to the crooks via Western Union or MoneyGram.

When run, it installs the BHO component at:

• %Windir%\system32\rwera21s1.dll 

(Where %Windir% is the Windows folder; e.g. C:\Windows)

And configures the following Windows registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Ppc
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA7F2000-EA05-489d-900C-3C7C0A5497A3}\"InprocServer32" = "%Windir%\System32\rwera21s1.dll"

When installed , this trojan hooks onto Internet Explorer and triggers a fake popup upon popular search engine sites such as Yahoo and Google, as well as on the official Apple vendor website.

Fake popup when browsing Apple.com.

Fake popup when browsing Google.

Fake popup when browsing Yahoo.

Clicking onto this fake link brings the user to what appears to be www.iphone.com. In normal circumstances, the legitimate www.iphone.com site redirects the user to the official vendor website on www.apple.com/iphone/.

However, on an infected machine, the address bar retains the www.iphone.com URL, and loads a phishing site instead from a malicious server on the iesecurityupdates.com domain.

On this phishing website, it claims itself to be the only place in the world to order the first 25,000 sets of iPhones, and promising a maximum of 5 days for delivery. The victim gets to fill in his personal particulars, choose a color of his choice, even special engraving on the iPhone before being asked to make payment via Western Union or MoneyGram.

At the same time, the user's web activities are tracked and logged in a local file and communicated back to the malware owner. This file is located at:

• %Windir%\system32\confg.xml

The malware can communicate with the following website(s):

• http://203.223.158.{blocked}/{blocked}
• http://203.223.158.{blocked}/{blocked}/searchsite.php
• http://203.223.158.{blocked}/{blocked}/getconf.php
• http://203.223.158.{blocked}/{blocked}/hitsite.php
• http://203.223.158.{blocked}/{blocked}/redsite.php

Symptoms

• Presence of the files and registry key(s) mentioned.
• Unexpected connection to the mentioned website(s).
• Presence of the mentioned fake popup windows.
• Loading of phishing website instead of the official vendor website from www.iphone.com.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update July 2, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/hardware/?p=574

Phish-BuyPhony is a Internet Explorer Browser Helper Object (BHO) maliciously designed to hijack well known websites to steal money by masquerading Apple's iPhone on-line shop. When successful, the victim is brought to a fake site where payment is made to the crooks via Western Union or MoneyGram.

Aliases

• Aifone.A (Panda)

• TSPY_AYFONY.A (TrendMicro)

Characteristics

Characteristics -

-- Update July 2, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://blogs.zdnet.com/hardware/?p=574

Phish-BuyPhony is a Internet Explorer Browser Helper Object (BHO) maliciously designed to hijack well known websites to steal money by masquerading Apple's iPhone on-line shop. When successful, the victim is brought to a fake site where payment is made to the crooks via Western Union or MoneyGram.

When run, it installs the BHO component at:

• %Windir%\system32\rwera21s1.dll 

(Where %Windir% is the Windows folder; e.g. C:\Windows)

And configures the following Windows registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Ppc
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA7F2000-EA05-489d-900C-3C7C0A5497A3}\"InprocServer32" = "%Windir%\System32\rwera21s1.dll"

When installed , this trojan hooks onto Internet Explorer and triggers a fake popup upon popular search engine sites such as Yahoo and Google, as well as on the official Apple vendor website.

Fake popup when browsing Apple.com.

Fake popup when browsing Google.

Fake popup when browsing Yahoo.

Clicking onto this fake link brings the user to what appears to be www.iphone.com. In normal circumstances, the legitimate www.iphone.com site redirects the user to the official vendor website on www.apple.com/iphone/.

However, on an infected machine, the address bar retains the www.iphone.com URL, and loads a phishing site instead from a malicious server on the iesecurityupdates.com domain.

On this phishing website, it claims itself to be the only place in the world to order the first 25,000 sets of iPhones, and promising a maximum of 5 days for delivery. The victim gets to fill in his personal particulars, choose a color of his choice, even special engraving on the iPhone before being asked to make payment via Western Union or MoneyGram.

At the same time, the user's web activities are tracked and logged in a local file and communicated back to the malware owner. This file is located at:

• %Windir%\system32\confg.xml

The malware can communicate with the following website(s):

• http://203.223.158.{blocked}/{blocked}
• http://203.223.158.{blocked}/{blocked}/searchsite.php
• http://203.223.158.{blocked}/{blocked}/getconf.php
• http://203.223.158.{blocked}/{blocked}/hitsite.php
• http://203.223.158.{blocked}/{blocked}/redsite.php

Symptoms

Symptoms -

• Presence of the files and registry key(s) mentioned.
• Unexpected connection to the mentioned website(s).
• Presence of the mentioned fake popup windows.
• Loading of phishing website instead of the official vendor website from www.iphone.com.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include email, IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A