Spammed Trojan horse pretends to come from anti-virus company

February 01, 2006 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a Trojan horse that has been spammed out to email addresses disguised as a message from a Finnish anti-virus company.

The Troj/Stinx-U Trojan horse has been seen attached to email messages pretending to come from Helsinki-based F-Secure, and can have a subject line chosen from "Firefox Browsing Problem", "Mozilla Browsing Problem", or "Website Browsing Problem". The message bodies read as follows:

Hello,

I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

As more people are turning to alternative browsers now it may be of help for you to know this. I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

Kind regards,

David Adams
Dept. Research
F-Secure Development

If the attached file is executed the Trojan horse will trigger, disabling anti-virus and other security software and opening a backdoor through which hackers can gain access to infected systems.

"It's important to stress that the guys at F-Secure have done nothing wrong. They are just the unfortunate victims of internet criminals using their name as a diguise in an attempt to spread malware," said Graham Cluley, senior technology consultant at Sophos. "Running the file attached to the email will lower security on the PC, and allow hackers to gain access to spy, steal and cause havoc."

Last week, Sophos reported that another version of the Stinx Trojan horse had been distributed posing as a CCTV picture of a university campus rapist.

Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses and spam, as well as apply an email policy that filters unsolicited executable code at the gateway. Businesses should also secure their desktop and servers with automatically updated protection.

Sophos's anti-virus products were updated to protect against the Troj/Stinx-U Trojan horse at 13:09 GMT on 1 Feburary 2006.