New 'Cute' trojan could take over your PC

Discussion in 'malware problems & news' started by Technodrome, May 9, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Feb 13, 2002
    New York
    A moderately dangerous Trojan horse that might let an outsider take over someone's computer is circulating by e-mail, two anti-virus companies warned Wednesday.

    According to Symantec and McAfee, the e-mail in question has the subject line: "Thoughts..." with a message that reads, "I just found this program, and, I don't know why...but it reminded me of you. Check it out."

    If the user is tricked into double-clicking the attachment, which carries the file name "cute.exe," the Trojan is installed on their PC.

    Craig Schmugar, a virus researcher for McAfee's AVERT (anti-virus emergency response team), said the primary aim of this "back door" Trojan is to give the attacker a way to take control of the user's system.

    "The person can move the mouse as if he was sitting in front of the computer, or make the CD-ROM drive door open and close," said Schmugar. "The program also tries to cripple anti-virus programs and firewalls."

    Dee Liebenstein, product manager for Symantec Security Response, told Newsbytes the Trojan sends a message to the author with the IP (Internet protocol) address of the infected PC.

    Symantec and McAfee describe the Trojan as a variant of the "Backdoor.Subseven" Trojan horse. Symantec named the Trojan W32.Tendoolf, while McAfee dubbed it W32/Floodnet@MM.

    The two companies said they were watching it's spread closely, though they mark it as a low risk for now. McAfee's Schmugar said the Trojan has some characteristics that give it the potential to cause harm.

    "Some Trojans have the ability to propagate," he said. "Floodnet has the ability to spread by different methods, including through a person's address book by e-mail, or by MSN Messenger or AOL Instant Messenger."

    Schmugar and Liebenstein repeated the oft-told admonition - don't open attachments marked .EXE.

    "Back door Trojans are a big risk to personal identification and information," said Schmugar. "Not only do we tell people not to double-click on .EXE attachments, we also are warning them to be alert to e-mails promising an immunity tool for viruses that is infected with the Klez virus."

    "If you receive an anti-virus tool by e-mail, be leery," he added.

    "The message in the e-mail that carries the cute.exe attachment is an example of social engineering," said Liebenstein. "Trojan horse writers try to get people to click on an attachment by getting on their good side and being friendly."

  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    TDS has detection for this - Worm.Floodnet as of tonight's update, an update alert will be posted in the update section when uploaded.

    This trojan is not a variant of SubSeven, it merely has similar trojan characteristics. It is IRC controlled, and automatically spreads by Outlook mailing. Interestingly, there is an IRC command "spread", to cause the worm to again mail itself out.
Thread Status:
Not open for further replies.