'Offensive' Trojan horse can disable systems

From...

By Sam Costello

(IDG) -- A new script that can severely limit user access to infected systems is spreading slowly worldwide, anti-virus companies said Friday.

The program, a Trojan horse called either Trojan.JS.Offensive or Trojan.Offensive, can make Windows desktop icons invisible, can prevent users from starting programs or shutting down Windows, and even persists when a machine is being used in safe mode, according to information posted on Symantec's anti-virus Web site. Luckily for users, Symantec doesn't see wide distribution yet.

Trojan.Offensive arrives in users' e-mail in-boxes as an HTML e-mail, although it could also be a Web page found on the Internet, if someone posted it there, Symantec said. The Trojan horse, written in Javascript, presents a button that reads "Start" which, when clicked, activates the script. A variant of it activates when the file is opened and lacks the "Start" button. When the Trojan horse is executed, it proceeds to make a series of system-level changes to the configuration of the infected PC, greatly limiting user access to the system.

IDG.net INFOCENTER InfoWorld Main Page InfoWorld Test Center Subscribe to InfoWorld Newsletters Infoworld Opinions and Spotlights Related IDG.net Stories UK man charged with creating W32-Leave.worm Code Red II includes dangerous 'backdoor' Trojan 'Offensive' trojan can disable systems Features Top 10 rules for e-business success Bluetooth wireless connectivity set to take off DSL in distress Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

The Trojan horse exploits a 10-month-old security hole in Microsoft's JVM (Java Virtual Machine), said Craig Schmugar, a virus researcher at McAfee's AVERT Labs. Systems which have had the patch Microsoft released applied are not vulnerable, he said.

The combination of an attack tool, called an exploit, and a Trojan horse is likely to become more common, as will the combination of exploits and worms, of which Code Red was an example, Schmugar said.

"I suspect we will see a lot more use of vulnerabilties [in worms, viruses, and Trojan horses]," he said. In fact, a Web exploiting this same vulnerability and using the same technique, but not using Trojan.Offensive itself, was discovered by AVERT last week, he said. The site has since been taken offline, he said.

Trojan.Offensive is not yet widespread and isn't likely to be, Schmugar said. Unlike a worm, which will often use an e-mail application to resend itself to other potential victims, Trojan.Offensive isn't likely to be able to spread itself because it locks systems up so extensively, he said.

If a PC is infected by Trojan.Offensive, typical users should contact technical support staff immediately, Cupertino, Calif.-based Symantec said. A reinstallation of Windows, a deletion of the Trojan horse using DOS, or changing the system settings back by hand are ways to remove the infection, Symantec said.

"The average end-user is going to have a heck of a time getting around these problems," AVERT's Schmugar agreed.