Malware posing as Windows product activation

A new piece of malware identified by Symantec as ‘Trojan.Kardphisher' targets Windows XP users by portraying itself as related to Windows product activation.  Symantec calls the threat level "very low" but I wanted people to be aware of it.

After installation and a reboot, the Trojan appears as the Windows activation screen pictured below.


Only choosing ‘yes' or ‘no' is allowed by the malware. Choosing ‘no' will shut down Windows; choosing ‘yes' will bring the user to a second screen (below) where the malware asks for personal and credit card information.


In its review of this malware Symantec posted the video below demonstrating the behavior of ‘Trojan.Kardphisher'.

While not a technically sophisticated approach, this Trojan relies on a social engineering tactic to trick consumers into providing credit card and other personal data. Because of situations like this Microsoft recommends that people be very cautious about revealing personal and financial information online. When in doubt, customers can learn more about our activation and validation programs at ( or ) or call Microsoft's customer service line directly (800) MICROSOFT (642-7676). You can also head over to, which includes info on how to protect yourself from this type of online threat.

 BTW, thanks to Symantec and Takashi Katsuki for their excellent summary of this malware