C/Net.com - Trojan Horse Goes on the Offensive (Aug. 24/01)
(The following
articles have been archived for both instructional and referential purposes.
To read the full articles please follow the links to the source located at the
bottom.)
Trojan Horse Goes on the Offensive
By Robert Lemos
August 24, 2001
A malicious program that masquerades as a Web page or HTML
e-mail has dire consequences for those who fall for its ruse, antivirus experts
said this week.
Known as Trojan.Offensive, the program takes advantage of a 10-month-old flaw
in Microsoft's version of the Java Virtual Machine to overwrite critical system
settings--called the registry--leaving Windows computers unusable. The operating
system on the victimized PC must be reinstalled or repaired through an arduous
process.
"No data loss actually occurs, but the computer is basically
hosed," said Craig Schmugar, a virus researcher for security software maker
Network Associates.
In its current incarnation, the Trojan horse arrives in an e-mail
message and appears to be an HTML document with a single hyperlinked word: "Start."
Recipients of the e-mail who click the link, however, will cause a JavaScript
program to run; that program will take advantage of a flaw in Microsoft's Java
Virtual Machine--software used to run programs written in Sun Microsystems'
Java language--to modify the system's registry.
The flaw affects all versions of Windows running Microsoft's Internet
Explorer 3.0 to 5.5sp1.
By changing almost 50 registry values, the malicious program disables
all programs, prevents Windows from being shut down, and makes icons on the
Windows desktop disappear. Because no programs will run--not even antivirus
scanners--the Windows operating system on the PC cannot be automatically repaired.
While truly irksome, the program is not widespread.
Also known as JS/Offensive, the damaging code does not spread
on its own like a virus--it must be forwarded manually. Although Network Associates
has not seen any cases of the Trojan horse, antivirus company Symantec has had
"a handful" of customers in Japan report incidents.
"There could be more reports of it and we just don't know
about it, because the victims' computers don't work and so they can't send e-mail,"
said Motoaki Yamamura, senior development manager for Symantec. "But we
don't think it's very widespread, because it's a Trojan, not a virus."
