Bank of China security applet - ROOTKIT ?

A friend was trying to access an account at Bank of China. This apparently required that she install some sort of security applet on her notebook PC. It also required that she use Internet Explorer instead of her usual Firefox browser.

I don’t know if it was during download or trying to install (I wasn’t watching), but AVAST detected it as a ROOTKIT. I advised her to delete it.

I believe that the English version of the site was:

https://ebs.boc.cn/BocnetClient/LoginFrame.do?_locale=en_US

The name of the file seems to be BOCNET_Client.exe

Can someone verify that this is indeed a ROOTKIT and not a false positive? It seems funny that the largest bank in China would be creating a ROOTKIT and REQUIRING all online customers to use it or they are denied online access to their accounts.

Bob Carroll, Las Vegas

Can you send us the file to virus@avast.com, preferably packed in a password-protected ZIP or RAR, putting the password into the e-mail?
I’m not able to download the file from the URL you posted - the site appears dead.

I will email it as a password protected Bank-of-China-rootkit-suspect.zip

BTW, the original Chinese-language site url is:

https://ebs.boc.cn/BocnetClient/LoginFrame.do?_locale=zh_CN

I noticed when I downloaded that I got no warning so I assume my friend tried to run the program when it was detected as a rootkit.

It could be a phishing email which purports to come from the BOC but doesn’t, the link may take you to a site that looks like the BOC to further reassure (read deceive) the user into installing an official security applet, which is designed to infect.

If you actually type in the URL rather than click on a link in a phishing email you will end up at the genuine BOC site rather than the one spoofed to look like the BOC web site.

You have to exercise extreme care when doing this as if it were a spoofed/phishing site it could capture your login and password details. Firefox 3.0.1 has a built in anti-phishing element.