New one on the market (BlueMountain Card hook)

[Duh_OZ]

hxxp://216.70.240.118/xxx.adobe.com%20shockwave%20download%20flash/FlashPlayer.exe

Not too may have caught it so far:
AhnLab-V3 - - Win-Trojan/Agent.214532.B
AntiVir - - TR/Crypt.XDR.Gen
CAT-QuickHeal - - (Suspicious) - DNAScan
F-Secure - - Trojan.Win32.Agent.fju
Ikarus - - Virus.Trojan.Win32.Agent.fju
Kaspersky - - Trojan.Win32.Agent.fju
Panda - - Suspicious file
Prevx1 - - Heuristic: Suspicious File With Covert Attributes
Webwasher-Gateway - - Trojan.Crypt.XDR.Gen

============
Got 3 storm e-mails last night, none so far today. Just a local
outbreak I guess :0)

 

[familyof4]

hxxp://216.70.240.118/xxx.adobe.com%20shockwave%20download%20flash/FlashPla­yer.exe

Not too may have caught it so far:
AhnLab-V3       -       -       Win-Trojan/Agent.214532.B
AntiVir         -       -       TR/Crypt.XDR.Gen
CAT-QuickHeal   -       -       (Suspicious) - DNAScan
F-Secure        -       -       Trojan.Win32.Agent.fju
Ikarus  -       -       Virus.Trojan.Win32.Agent.fju
Kaspersky       -       -       Trojan.Win32.Agent.fju
Panda   -       -       Suspicious file
Prevx1  -       -       Heuristic: Suspicious File With Covert Attributes
Webwasher-Gateway       -       -       Trojan.Crypt.XDR..Gen

============
Got 3 storm e-mails last night, none so far today.    Just a local
outbreak I guess :0)

Yes, I received that e-mail today (3-6-08). I believe it loaded a
virus b/c McAfee detected a "trojan". Now, when I log into My eBay it
asks for my credit card info. It also does this on paypal now too.
When I click on My eBay, it send me to www.xktuie98sh.kit.net (not the
site address shown on my screen but McAfee site advisor) and asks for
my credit card info for security reasons. The e-mail had hearts with
Love messages.

 

[Beauregard T. Shagnasty]

Yes, I received that e-mail today (3-6-08). I believe it loaded a
virus b/c McAfee detected a "trojan".

So, did you download and execute the file?

Now, when I log into My eBay it asks for my credit card info. It also
does this on paypal now too. When I click on My eBay, it send me to
www.xktuie98sh.kit.net (not the site address shown on my screen but
McAfee site advisor)

You must be using an insecure browser.

and asks for my credit card info for security reasons.

...and have you entered your credit card information?

The e-mail had hearts with Love messages.

A sure sign of nefariousism.

 

[Ant]

Yes, I received that e-mail today (3-6-08). I believe it loaded a
virus b/c McAfee detected a "trojan". Now, when I log into My eBay it
asks for my credit card info. It also does this on paypal now too.
When I click on My eBay, it send me to ***.xktuie98sh.kit.net (not the
site address shown on my screen but McAfee site advisor) and asks for
my credit card info for security reasons. The e-mail had hearts with
Love messages.

Why the heck did you open it and then click and give permission for
the executable to download and run?

It's a keylogger, password and other information stealer. There are
two main components, cftmon.exe and mshyta16.dll, which are started
from these registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__A
DllName - [windows]\System32\mshyta16.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cftmon - [windows]\System32\cftmon.exe

Delete the "__A" key (and all the values under it) and remove the
"cftmon" value from the "Run" key. Delete the two files cftmon.exe and
mshyta16.dll from the [windows]\System32 directory.

There will also be some related files in [windows]\System32. Look for
mshntfy16.dat, mshddtrack16.dat, mshdtxt32.dat, possibly GbpSv.exe and
a subdirectory named msconfig32 containing more directories and files.