'Offensive' Trojan Can Disable PCs

A new Trojan horse program that can severely limit user access to infected systems is spreading slowly worldwide, antivirus companies say.

The program, which is a script called either Trojan.JS.Offensive or Trojan.Offensive, can make Windows desktop icons invisible and can prevent users from starting programs or shutting down Windows. It even persists when a PC is being used in safe mode, according to information from antivirus vendor Symantec.

Luckily for users, the worm is not yet widespread and isn't likely to be, say antivirus vendors. Unlike a typical worm, which will often use an e-mail application to resend itself to other potential victims, Trojan.Offensive isn't likely to be able to spread itself because it locks up systems so extensively, says Craig Schmugar, a virus researcher with McAfee's AVERT Labs.

Trojan.Offensive arrives in users' e-mail in-boxes as an HTML e-mail message. However, it could also be available as Web page found on the Internet, if someone posted it there, Symantec says. The Trojan, written in Javascript, presents a "Start" button that, when clicked, activates the script. A variant of the Trojan lacks the "Start" button and activates when the file is opened. When executed, the Trojan makes a series of system-level changes to the configuration of the infected PC, greatly limiting user access to the system.

Drastic Remedies

The Trojan exploits a 10-month-old security hole in Microsoft's Java Virtual Machine, says McAfee's Schmugar. Systems that have applied Microsoft's patch are not vulnerable, he said.

The combination of an attack tool, called an exploit, and a Trojan is likely to become more common, as will the combination of exploits and worms, of which Code Red was an example, Schmugar says.

"I suspect we will see a lot more use of vulnerabilities" in worms, viruses, and Trojans, he says. In fact, a Web site exploiting this same vulnerability and using the same technique, but not using Trojan.Offensive itself, was discovered by AVERT last week, he said. The site has since been taken offline, he says.

If a PC is infected by Trojan.Offensive, typical users should contact technical support staff immediately, Symantec says. Reinstalling Windows, deleting the Trojan using DOS, or changing the system settings back by hand are ways to remove the infection, Symantec says.

"The average end user is going to have a heck of a time getting around these problems," AVERT's Schmugar agrees.