“Yes & NO” video may hide a Trojan

29/06/2007 Written by Alberto Redi (halfmoon)

 An advi­sory from Sophos Labs informed on Tues­day that a mal­ware writer has been infect­ing thou­sands of com­put­ers by hid­ing a new Tro­jan vari­ant in a car­toon video, which has been spread around the world via e-​mail.

The mal­ware, iden­ti­fied as Troi/​Agent-​FWO Tro­jan was hid­den into “Yes & No” Shock­wave video , a pop­u­lar car­toon cre­ated by the Ital­ian ani­ma­tor Bruno Bozzetto. Accord­ing to Sophos, “The video only plays, though, after embed­ding itself on users’ com­put­ers and down­load­ing other pieces of mali­cious code.”

The video iron­i­cally shows the allowed and for­bid­den behav­iours described in the high­way code, and it was pub­lished on the inter­net by Mr. Bozzetto in 2001. From then on, hun­dreds of thou­sands of peo­ple are believed to have watched the video but it is not pos­si­ble to guess how many of them have been infected by the Tro­jan, until researchers will under­stand exactly when the mal­ware writer began to send out infected copies of the video. Such Tro­jan is play­ing the ani­ma­tion as a smoke­screen as it silently infects Win­dows Computers.

Troj/​Agent-​FWO drops its mali­cious pay­load in the Win­dows Sys­tem folder. More­over, Sophos explains that it can cre­ate reg­istry entries to run itself on startup, and it also has the func­tion­al­ity to inject code into sys­tem processes to stealth itself.

“It’s impor­tant to realise that the ani­ma­tion itself is not mali­cious — thou­sands of artists, like Bruno Bozzetto, have cre­ated funny movies whose only neg­a­tive can be the hours that have been spent watch­ing them,” said Gra­ham Clu­ley, senior tech­nol­ogy con­sul­tant for Sophos. “But the Tro­jan horse which is play­ing the ani­ma­tion in this instance is dan­ger­ous. Troj/​Agent-​FWO is exploit­ing society’s predilec­tion for for­ward­ing humor­ous ani­ma­tions on to friends and fam­ily in its attempt to infect as many peo­ple as possible.”

Share this content: