By Robert Lemos, ZDNet News

The aptly named Trojan.Offensive virus traps victims by pretending to be a Web page or HTML e-mail, then overwrites critical settings in Windows systems-leaving the computers unusable.

A malicious program that masquerades as a Web page or HTML e-mail has dire consequences for those who fall for its ruse, antivirus experts said this week.

Known as Trojan.Offensive, the program takes advantage of a 10-month-old flaw in Microsoft's version of the Java Virtual Machine to overwrite critical system settings--called the registry--leaving Windows computers unusable. The operating system on the victimized PC must be reinstalled or repaired through an arduous process.

"No data loss actually occurs, but the computer is basically hosed," said Craig Schmugar, a virus researcher for security software maker Network Associates.

In its current incarnation, the Trojan horse arrives in an e-mail message and appears to be an HTML document with a single hyperlinked word: "Start." Recipients of the e-mail who click the link, however, will cause a JavaScript program to run; that program will take advantage of a flaw in Microsoft's Java Virtual Machine--software used to run programs written in Sun Microsystems' Java language--to modify the system's registry.

The flaw affects all versions of Windows running Microsoft's Internet Explorer 3.0 to 5.5sp1.

By changing almost 50 registry values, the malicious program disables all programs, prevents Windows from being shut down, and makes icons on the Windows desktop disappear. Because no programs will run--not even antivirus scanners--the Windows operating system on the PC cannot be automatically repaired.

While truly irksome, the program is not widespread.

Also known as JS/Offensive, the damaging code does not spread on its own like a virus--it must be forwarded manually. Although Network Associates has not seen any cases of the Trojan horse, antivirus company Symantec has had "a handful" of customers in Japan report incidents.

"There could be more reports of it and we just don't know about it, because the victims' computers don't work and so they can't send e-mail," said Motoaki Yamamura, senior development manager for Symantec. "But we don't think it's very widespread, because it's a Trojan, not a virus."

Trojan.Offensive is aptly named.

In addition to making the victim's PC unusable until the system registry is fixed or the operating system is reinstalled, the program spouts a slur against Japanese people when the computer is physically restarted.

"If you have any trouble, please email," states a dialog box that appears upon start-up. "Note: Not for Japanese & dog & pig." is a Chinese-language Web site based in the Guangdong province of China. The administrative contact for the site could not be reached by e-mail.

Because the flaw in Microsoft's Java Virtual Machine is 10 months old and a patch has been available for some time, many computer users will not be vulnerable to the Trojan.

In addition, people have started to trust e-mail a lot less, said Symantec's Yamamura.

"I think a lot of consumers are better about practicing safe computing," he said. Surfers who disable ActiveX in the browser are also safe from the Trojan horse.

Back To The Study