If you frequent any JP sites (such as PhotoII looking for any interesting FFXI screenshots posted) be careful what you click on. There's a trojan going around right now (circulating JP sites) in the forum of a simple Hyperlink to a couple of websites that people are just posting on these forums etc.
The website downloads a program to your computer using a bit of Javascript and a flaw in the windows help system that allows it to execute code. It download and runs a "SVCHOST.EXE" to your system, which will grab your POL ID and Password next time you log in. It's not a Key logger, it doesn't need to wait for you to type it in, it just needs you to run POL.
About 50 accounts are supposedly confirmed to be stolen by this now. The IP addresses of the sites hosting the Trojan are supposedly Chinese. Few sites known to install the trojan:
www-japan213-com
www-1102213-com
ff11-free-sakura-ne-jpi/nove/00-00.html
homepage3-nifty-com/~ffxi/Shield.html
Probably a ton more, those are just sites confirmed to do it if you visit them.
The following HEX view of the trojan executable seems to show that the program reads your login information from a temporary file in the PlayOnline Viewer folder that stores your ID and Password. It then opens what appears to be a simple ASP page that sends the author your details.
The executable shows the ASP page being stored on the domain above, so the best thing to do right now would be to block that domain on your firewall. If somehow you got infected, hopefully it wouldn't be able to get through. Dots were replaced by dashes so hopefully nobody accidentally follows the link somehow. Block this:
www-japan213-com = 211-100-26-182
Note: "SVCHOST.EXE" is also the name of the Windows Service Host, and most (if not all) Firewalls will allow it access to the Internet by default. So don't expect your Firewall to trap it. It might do so, but don't give it the chance.
