Trojan horse goes on the offensive

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6961705.html?tag=ch_mh

By Robert Lemos
Special to CNET News.com 
August 24, 2001, 10:40 a.m. PT 

A malicious program that masquerades as a Web page or HTML e-mail has
dire consequences for those who fall for its ruse, antivirus experts
said this week.

Known as Trojan.Offensive, the program takes advantage of a
10-month-old flaw in Microsoft's version of the Java Virtual Machine
to overwrite critical system settings--called the registry--leaving
Windows computers unusable. The operating system on the victimized PC
must be reinstalled or repaired through an arduous process.

"No data loss actually occurs, but the computer is basically hosed,"
said Craig Schmugar, a virus researcher for security software maker
Network Associates.

In its current incarnation, the Trojan horse arrives in an e-mail
message and appears to be an HTML document with a single hyperlinked
word: "Start." Recipients of the e-mail who click the link, however,
will cause a JavaScript program to run; that program will take
advantage of a flaw in Microsoft's Java Virtual Machine--software used
to run programs written in Sun Microsystems' Java language--to modify
the system's registry.

The flaw affects all versions of Windows running Microsoft's Internet
Explorer 3.0 to 5.5sp1.

By changing almost 50 registry values, the malicious program disables
all programs, prevents Windows from being shut down, and makes icons
on the Windows desktop disappear. Because no programs will run--not
even antivirus scanners--the Windows operating system on the PC cannot
be automatically repaired.

While truly irksome, the program is not widespread.

Also known as JS/Offensive, the damaging code does not spread on its
own like a virus--it must be forwarded manually. Although Network
Associates has not seen any cases of the Trojan horse, antivirus
company Symantec has had "a handful" of customers in Japan report
incidents.

"There could be more reports of it and we just don't know about it,
because the victims' computers don't work and so they can't send
e-mail," said Motoaki Yamamura, senior development manager for
Symantec. "But we don't think it's very widespread, because it's a
Trojan, not a virus."

Trojan.Offensive is aptly named.

In addition to making the victim's PC unusable until the system
registry is fixed or the operating system is reinstalled, the program
spouts a slur against Japanese people when the computer is physically
restarted.

"If you have any trouble, please email findlu () 21cn com," states a
dialog box that appears upon start-up. "Note: Not for Japanese & dog &
pig." 21cn.com is a Chinese-language Web site based in the Guangdong
province of China. The administrative contact for the site could not
be reached by e-mail.

Because the flaw in Microsoft's Java Virtual Machine is 10 months old
and a patch has been available for some time, many computer users will
not be vulnerable to the Trojan.

In addition, people have started to trust e-mail a lot less, said
Symantec's Yamamura.

"I think a lot of consumers are better about practicing safe
computing," he said. Surfers who disable ActiveX in the browser are
also safe from the Trojan horse.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.