------------------------------------------------------------
Sylvia Dennis, Newsbytes
Finjan has issued an overnight warning to its customers about a new
worm virus called Win32.Crypto.
The malicious code is officially called a stealth Trojan that uses
a unique method of installation. This, the IT security firm said,
results in the dependency of the operating system on the infection
itself - if the Trojan's code is removed from the hard disk without
prior preparation, the operating system subsequently will fail to
load.
Finjan also reported that Win32.Crypto also has anti-heuristics
mechanisms that make its detection by anti-virus software very
difficult.
Disinfection, the firm said, may not be possible using certain
types of anti-virus software, forcing users to reformat their hard
disks to get their PCs operational again.
Fortunately for Finjan, its SurfinShield software can detect and
prevent the malicious code attack, even though it is a new type of
attack with particularly damaging consequences.
Bill Lyons, the firm's president, said that arrival of the worm
virus is another example of a clever new attack based on principles
of previous attacks - but with a stronger payload and better
defenses against inoculation.
"While the antivirus vendors will no doubt add this pattern to
their database of known attacks over the next week, this one has
several complications that will cause those hit with this attack
more aggravation than simply running a disinfecting routine," he
said.
Lyons added that companies need to supplement their anti-virus
software with "firststrike" security systems to block these first
waves of attacks.
"Anti-virus companies do not catch Trojan executables the first
time and unfortunately, with 200 million people connected to the
Internet, severe damage is inflicted within the first hours of an
attack," he said.
Disassembling the new virus reveals that the author was Prizzy/29A,
who Finjan said takes time to thank numerous other hackers for
their contributions and inspiration, while also expressing his
personal pride in this effort saying, "I'm very proud on my very
first virus at Win32 platform."
Unfortunately, Finjan warned that Prizzy/29A also promises that new
attacks are on the way. This, the firm said, may be the beginning
of an onslaught of new attacks for the Millennium.
For the technically-minded, Win32.Crypto is a Trojan horse that is
being spread in the form of two files: notepad.exe and pbrush.exe.
According to its creator, Win32.Crypto is immune to detection by
heuristics. In addition, because it is using random algorithms,
detection by anti-virus software will be difficult.
The program, which does not give any indication that it has
infected the system, infects Windows 95, Windows 98, Windows NT and
the beta version of Windows 2000.
Win32.Crypto infects the system by attaching itself to the
kernel32.dll file along with new entries it is adding to win.ini
and the registry. Finjan said that this enables Win32.Crypto to get
file access and therefore intercept calls made to DLL files using
its sophisticated encrypt/decrypt functions.
Each time a system infected by Win32.Crypto boots up, the Trojan
propagates itself by infecting 20 more executables. This
replication mechanism, the firm said, may cause severe damage since
there is no indication that a system has been infected users might
send out infected files unknowingly.
Finjan's Website is at http://www.finjan.com .
------------------------------------------------------------