Malware type: Not a Virus

In the wild: Yes

Destructive: No

Language: English

Platform: Internet Explorer 5.01, 5.5, 6.0

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:


Distribution potential:



This is Trend Micro's detection for an HTML-coded Web page that prompts the user to input various Visa account credentials. The following is a screenshot of the Web page:

Spoofed Visa site

The spoofed Web page, like the one above, is actually one of the two main components of a typical Phishing attack. The other component is a spammed email that contains a link to the malicious Web page. Here is a sample of the email that redirects users to the Web page shown previously:

Spoofed Visa Security Update email

This HTML script exploits an Internet Explorer (IE) vulnerability, enabling a malicious user to spoof a Web page to obtain Citibank ATM/Debit card and PIN numbers of target users. It runs on systems supporting the IE environment.

The vulnerability exploited by this malicious HTML script affects Internet Explorer 5.01, 5.5, and 6.0. More information on the vulnerability is available at Microsoft Knowledge Base Article - 833786.

For additional information about this threat, see:

Description created: Jan. 21, 2004 8:52:48 PM GMT -0800
Description updated: Jan. 21, 2004 9:33:14 PM GMT -0800


Size of malware: ~2,742 Bytes

Initial samples received on: Jan 22, 2004

Payload 1: Displays spoofed Visa web page


This malicious HTML script may originally arrive as an email message or via a visited Web page. The following is a sample of the spammed email:

Spoofed Visa Security Update email

The spammed email message is designed to convince recipients that it is an authentic Visa security update. It persuades its recipients to click on the �Continue� button.

When a user clicks the �Continue� button, a blank Web page on the following URL is opened:<blocked>

The blank page contains Java script code that opens a spoofed or forged Web page.

The succeeding page is forged to look like the USA Visa Web site. The Internet address also appears as, which is the address of the real Visa site. The actual address of the page, however, is the following:<blocked>

The spoofed site prompts for the visitor's VISA account number and PIN. The following is a screenshot of the spoofed site:

Spoofed Visa site

The actual and current Visa site appears as such:

Real Visa site

Vulnerability Exploit

This malicious HTML script uses an Internet Explorer vulnerability that gives an attacker the capability to spoof a Web site. An attacker could create a link to a deceptive Web site that displays the address of a legitimate site on the Internet Explorer address and status bars.

More information on the vulnerability can be found at Microsoft Knowledge Base Article - 833786.

Analysis by: Reginald Wong


Minimum scan engine version needed: 6.510

Pattern file needed: 736

Pattern release date: Jan 22, 2004

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.


The Trend Micro Anti-Phishing Solution

Trend Micro integrates a range of products and services to protect users and enterprises from phishing threats.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as HTML_VISAFRAUD.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

NOTE: Refer to Microsoft Knowledge Base Article - 833786 for tips on how protect yourself from spoofed Web sites.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.