Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a Trojan horse that has been spammed out in an email claiming to come from an organization fighting child pornography on the web.
The emails claim that the recipient's email address has been found in a child porn database discovered by the Association of Sites Advocating Child Protection (ASACP), but really contain a Trojan horse.
The Troj/Agent-CPK Trojan horse has been spammed out in the email messages, with the subject line "CP investigation was started."
The message claims that the user's email address has been found on a child porn website.
Part of the email reads as follows:
I'd like to inform you that investigating activity of the one of child porno sites; we found e-mails data base, in which was your e-mail <email address>. In view of this, I have two versions: either you are the client of this shop, or your e-mail appeared there accidentally. I sincerely hope that it was accidental coincidence and believe that you are interested in this version as well. If you show a good will, make modest, voluntary donation on our site: http://www.asacp.org/donation.html, I will be convinced in your being not implicated in this business.
Attached to the email is a file called asset576.zip, which unzips to a file called asset.txt<multiple spaces>.exe. Running the executable file installs the Trojan horse onto the user's computer.
"The danger is that people may panic when they think their email address was found on a child abuse website, rush to open the attached file and become infected by a malicious Trojan horse," said Graham Cluley, senior technology consultant for Sophos. "The ASACP are an entirely innocently party in this attack, it is simply their name which is being spoofed by the hackers in their attempt to infect innocent computer users."
The Trojan displays text in Notepad in an attempt to fool people into thinking they really have opened a TXT file.
The ASACP, who have described the incident as a "massive spoof email attack", has published a warning on its website, informing unfortunate recipients of the message that they may be at risk of infection.
Sophos's anti-virus products were automatically updated to protect against the Troj/Agent-CPK Trojan horse at 14:48 GMT on 21 August 2006.
Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway. Businesses should also secure their desktop and servers with automatically updated protection.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.