Experts at SophosLabsâ„¢, Sophos's global
network of virus, spyware and spam analysis centers, have warned of
a Trojan horse that has been spammed out in an email claiming to
come from an organization fighting child pornography on the
web.
The emails claim that the recipient's email address has been
found in a child porn database discovered by the Association of
Sites Advocating Child Protection (ASACP), but really contain a
Trojan horse.
The Troj/Agent-CPK Trojan
horse has been spammed out in the email messages, with the subject
line "CP investigation was started."
The message claims that the user's email
address has been found on a child porn website.
Part of the email reads as follows:
I'd like to inform you that investigating activity of the
one of child porno sites; we found e-mails data base, in which was
your e-mail <email address>. In view of this, I have two
versions: either you are the client of this shop, or your e-mail
appeared there accidentally. I sincerely hope that it was
accidental coincidence and believe that you are interested in this
version as well. If you show a good will, make modest, voluntary
donation on our site: http://www.asacp.org/donation.html, I will be
convinced in your being not implicated in this business.
Attached to the email is a file called asset576.zip,
which unzips to a file called asset.txt<multiple
spaces>.exe. Running the executable file installs the
Trojan horse onto the user's computer.
"The danger is that people may panic when they think their email
address was found on a child abuse website, rush to open the
attached file and become infected by a malicious Trojan horse,"
said Graham
Cluley, senior technology consultant for Sophos. "The ASACP are
an entirely innocently party in this attack, it is simply their
name which is being spoofed by the hackers in their attempt to
infect innocent computer users."
The Trojan displays text in Notepad in an
attempt to fool people into thinking they really have opened a TXT
file.
The ASACP, who have described the incident as a "massive spoof
email attack", has published a warning on its website, informing
unfortunate recipients of the message that they may be at risk of
infection.
Sophos's anti-virus products were automatically updated to
protect against the Troj/Agent-CPK Trojan horse at 14:48 GMT on 21
August 2006.
Sophos recommends that companies protect their email gateways
with a consolidated solution to defend
against viruses, spyware and spam, as well as apply an email policy
that filters unsolicited executable code at the gateway. Businesses
should also secure their desktop and servers with automatically
updated protection.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.