Mass Trojan on the loose

Anti-virus and e-mail security companies have issued warnings about a new Trojan horse program that they claim is being...

Anti-virus and e-mail security companies have issued warnings about a new Trojan horse program that they claim is being mass-distributed on the internet using spam e-mail.

The program, called Backdoor-CGT, is a new form of a Trojan installed after e-mail recipients using Microsoft Outlook follow a web link embedded in an e-mail message.

The Trojan is believed to have infected thousands of systems since appearing early on Tuesday, even though anti-virus software and up-to-date versions of Outlook are immune to attack, according to Maksym Schipka, senior anti-virus researcher at MessageLabs.

MessageLabs received more than 3,600 e-mail messages with links to the Trojan during a two-hour period early Tuesday, the result of a massive and uncharacteristic spam distribution more than 10 times what is normal for such a program, he said.

Trojans give remote attackers access to or control of machines on which they run, and often run unnoticed by computer users, or pose as legitimate software applications.

The Backdoor-CGT Trojan uses a "multistage" attack to place malicious code on victims' computers.

After clicking on an e-mail link embedded in the spam message, victims go to a series of websites, each of which carries out one stage in the attack.

The attack takes advantage of a patched flaw in Outlook called the "IFrame" exploit to hide the website redirections from the user and silently download and install the Backdoor-CGT program, Schipka said.

Once installed, Backdoor-CGT selects a communications port at random and opens it, creating a back door on infected systems that is used to communicate with a server on the internet supposedly controlled by those behind the attacks.

The website used by the compromised machines is registered in the .biz web domain to an individual in the Czech Republic and was still online, though slowed by heavy traffic, on Tuesday, he said.

McAfee also released an advisory about the new Trojan, also known as "SS", on Tuesday, but rated it "low", indicating it does not pose a great threat to either home or business users.

Other anti-virus companies did not immediately respond to requests for information about Backdoor-CGT and it was not clear whether other companies were aware of it, or whether other anti-virus software programs could spot it.

Paul Roberts writes for IDG News Service 


Read more on IT risk management