Glad I didn't download this !!!

If you've posted your data or resume to Monster.com, watch out for a well-crafted e-mail that purports to come from the site and offers a link to a downloadable "Monster Job Seeker Tool." The download is actually one or more pieces of malware that attempts to steal your financial data or even encrypt your important documents and hold them for ransom.

According to Symantec's analysis of the attack, the e-mails look entirely real, and may use the intended victim's real name and other personal information.

The attackers get that personal info with a multi-pronged attack that starts with a Trojan called Infostealer.Monstres. Monstres steals personal information about Monster.com users from the section of the site used by recruiters to find job seekers. That can INCLUDE a searcher's name, e-mail address, home address and other data.

The crooks use that stolen info to then send the personalized attack e-mail. If you click the contained link, you could be infected by one of two pieces of malware (so far). One, which Symantec labels Infostealer.banker.c, attempts to steal online financial account logins. The other, Trojan.gpcoder.e, will encrypt a range of documents on a victim PC and then DEMAND a ransom payment for the decryption password.

If you've received one of these e-mails and THINK you might be infected, here's a test that could turn up malware your antivirus program may have missed. Gpcoder creates a backdoor that allows attackers to connect to infected machines, and you can detect the backdoor like this (on Windows XP):

1. Click Start | Run
2. Enter 'cmd' to bring up a command prompt.
3. TYPE "telnet localhost 6081" and hit Enter.

According to Don Jackson at Secureworks, who says the possibly related Prg Trojan uses the same port 6081 as a backdoor, a non-infected computer will respond with a message like "Could not open connection to the host, on port 6081: Connect failed." That means nothing is listening on that port - or backdoor.

But if you don't see that error message, and it just sits there after you type the telnet command, it means something is listening and waiting for input. To figure out if that something is malware (and assuming your current antivirus program doesn’t catch it), check Lincoln Spector's tips. I'd also suggest calling your antivirus program vendor.

Computerworld has a story on this attack that suggests a possible additional attack vector with infected ads, but I haven't yet found any confirmation of those ads. Mimi Hoang at Symantec says her company's analysis didn't turn up any poisoned ads on Monster.com, and Roger Thompson [[http://explabs.blogspot.com/]] of Exploit Prevention Labs says his company's scanners haven't found any over the past few weeks.