The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Dec 29 2004 10:37 GMT
Released Jul 23 2009 12:14 GMT
Published Dec 29 2004 10:37 GMT

Technical Details

This family of Trojans utilises spoofing technology. The Trojans themselves are contained in fake HTML pages. Messages, purportedly from banks, financial institutions, internet stores, software companies etc. are sent to users. These messages contain a link to the fake page; this link exploits the Frame Spoof vulnerability in Internet Explorer.

The Frame Spoof vulnerability is present in Internet Explorer v. 5.x and 6.x, and detailed in Microsoft Security Bulletin MS04-004. The bulletin also gives recommendations on how to recognise spoofed sites.

Once a user visits the fake site, and enters account details or personal information, these details will be sent to a malicious remote user, who will then have access to users' confidential information.

Bookmark and Share

Trojan-Spy programs are used to spy on a user’s actions (to track data entered by keyboard, make screen shots, retrieve a list of running applications, etc.) The harvested information is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request) and other methods can be used to transmit the data.


Trojan-Spy.HTML.Fraud.gen (Kaspersky Lab) is also known as:

  • Heuristics.Phishing.Email.SSL-Spoof (ClamAV)