[ISN] Trojan horse goes on the offensive

From: InfoSec News (isnat_private)
Date: Tue Aug 28 2001 - 02:56:30 PDT

  • Next message: InfoSec News: "[ISN] Re: Hacker invades MuchMusic's Web site, lifts entrants' telephone numbers, ages"

    http://news.cnet.com/news/0-1003-200-6961705.html?tag=ch_mh
    
    By Robert Lemos
    Special to CNET News.com 
    August 24, 2001, 10:40 a.m. PT 
    
    A malicious program that masquerades as a Web page or HTML e-mail has
    dire consequences for those who fall for its ruse, antivirus experts
    said this week.
    
    Known as Trojan.Offensive, the program takes advantage of a
    10-month-old flaw in Microsoft's version of the Java Virtual Machine
    to overwrite critical system settings--called the registry--leaving
    Windows computers unusable. The operating system on the victimized PC
    must be reinstalled or repaired through an arduous process.
    
    "No data loss actually occurs, but the computer is basically hosed,"
    said Craig Schmugar, a virus researcher for security software maker
    Network Associates.
    
    In its current incarnation, the Trojan horse arrives in an e-mail
    message and appears to be an HTML document with a single hyperlinked
    word: "Start." Recipients of the e-mail who click the link, however,
    will cause a JavaScript program to run; that program will take
    advantage of a flaw in Microsoft's Java Virtual Machine--software used
    to run programs written in Sun Microsystems' Java language--to modify
    the system's registry.
    
    The flaw affects all versions of Windows running Microsoft's Internet
    Explorer 3.0 to 5.5sp1.
    
    By changing almost 50 registry values, the malicious program disables
    all programs, prevents Windows from being shut down, and makes icons
    on the Windows desktop disappear. Because no programs will run--not
    even antivirus scanners--the Windows operating system on the PC cannot
    be automatically repaired.
    
    While truly irksome, the program is not widespread.
    
    Also known as JS/Offensive, the damaging code does not spread on its
    own like a virus--it must be forwarded manually. Although Network
    Associates has not seen any cases of the Trojan horse, antivirus
    company Symantec has had "a handful" of customers in Japan report
    incidents.
    
    "There could be more reports of it and we just don't know about it,
    because the victims' computers don't work and so they can't send
    e-mail," said Motoaki Yamamura, senior development manager for
    Symantec. "But we don't think it's very widespread, because it's a
    Trojan, not a virus."
    
    Trojan.Offensive is aptly named.
    
    In addition to making the victim's PC unusable until the system
    registry is fixed or the operating system is reinstalled, the program
    spouts a slur against Japanese people when the computer is physically
    restarted.
    
    "If you have any trouble, please email findluat_private," states a
    dialog box that appears upon start-up. "Note: Not for Japanese & dog &
    pig." 21cn.com is a Chinese-language Web site based in the Guangdong
    province of China. The administrative contact for the site could not
    be reached by e-mail.
    
    Because the flaw in Microsoft's Java Virtual Machine is 10 months old
    and a patch has been available for some time, many computer users will
    not be vulnerable to the Trojan.
    
    In addition, people have started to trust e-mail a lot less, said
    Symantec's Yamamura.
    
    "I think a lot of consumers are better about practicing safe
    computing," he said. Surfers who disable ActiveX in the browser are
    also safe from the Trojan horse.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 04:56:23 PDT