Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a bizarre Trojan horse that has been distributed on Japanese peer-to-peer file-sharing networks.
The Troj/Pirlames-A Trojan horse has been distributed on the controversial Winny file-sharing network in Japan, posing as a screensaver. However, if P2P users download and run the program their files are overwritten by pictures of a popular comic book star who abuses them for using Winny.
Programs, music files and email mailboxes are amongst the files targeted by the Trojan horse. EXE, BAT, CMD, INI, ASP, HTM, HTML, PHP, CLASS, JAVA, DBX, EML, MBX, TBB, WAB, HLP, TXT, MP3, XLS, LOG, BMP files are all overwritten by images contained inside the malicious code of comic book character Ayu Tsukimiya.
"This is a visit from the prevalent Piro virus! Stop P2P! If you don't, I'll tell the police!"
"Even though Kaneko-San was found guilty, you're still using Winny aren't you. I really hate such people!"
"Ugu! It's me, Ayu Tsukimiya! I think I might start destroying downloaded files and P2P software now..."
"Taiyaki, taiyaki, oh I'd like to eat some...
If you don't bring me some, I'll destroy your files...
If you don't stop using Winny, I'll expose you to the police... My phone number is <removed>..."
One of the images (which sings a song about fish-shaped pancakes filled with bean jam) includes a phone number, although it is possible that this does not belong to the malware author.
"This is one of the most bizarre pieces of malware we have seen in our labs for quite some time, but it's data-destroying payload is no laughing matter," said Graham Cluley, senior technology consultant for Sophos. "But it acts as a timely reminder to companies that they may want to control users' access to P2P file-sharing software not just because they can eat up bandwidth, but also because they can present a security risk to your corporate data."
Another variant of the Trojan, Troj/Pirlames-B, displays a different message:
"Ah, I see you are using P2P again... if you don't stop within 0.5 seconds, I'm going to kill you."
Isamu Kaneko, the author of the Winny file-sharing program, was convicted by a Japanese court in December 2006 for assisting in copyright violation. The rights and wrongs of the case have been widely debated on the internet.
The Pirlames Trojan horse is not the first piece of malware to take advantage of the Winny file-sharing network:
- In May 2006, Sophos reported that a virus had leaked power plant secrets via Winny for the second time in four months.
- The previous month, a Japanese anti-virus company admitted that internal documents and customer information had been leaked after one of its employees failed to install anti-virus software.
- Earlier in 2006, Sophos described how information about Japanese sex victims was leaked by a virus after a police investigator's computer had been infected.
- In June 2005, Sophos reported that nuclear power plant secrets had been leaked from a computer belonging to an employee of Mitsubishi Electric Plant Engineering.
- The police force in Kyoto, Japan, were left with red faces after a virus spread information about their "most wanted" suspect list in April 2004.
A survey conducted last year by Sophos reflects the serious concern that uncontrolled applications are causing system administrators. For example, 86.5 percent of respondents said they want the opportunity to block P2P applications, with 79 percent indicating that blocking is essential.
Application Control is an optional feature of Sophos Anti-Virus, version 6, available to both new and existing customers. Existing customers of Sophos Anti-Virus for Windows 2000/XP/2003, version 6, can use this new feature at no additional charge. New customers have the option to deploy Sophos Anti-Virus either with or without Application Control.
Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses, spyware and spam.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.