Cookie-crumbling virus on the loose
Beware the bogus news email, warns Sophos, as reports of the latest email worm come to light.
UK Security company Sophos says it has received reports of a new virus known as Crowt-A.
Although reports of infections are low in number currently, the virus is a particularly nasty one.
It arrives by email using subject lines, messages and filenames copied from the CNN news website. If the recipient launches the attachment, Crowt-A springs into action copying itself to the computer, setting Registry entries so that it is run at start up and when a user logs in, and harvesting email addresses to which it can send itself.
However, the nasty part is that it creates a DLL file – services.dll – in the Windows system folder. This will run in whichever window is currently active. If this is a browser it may redirect it to the CNN website, but in the background it will also contact an online resource of PHP scripts.
The virus ensures it has a good chance of getting sensitive information by deleting cookies. This way, if the victim visits a website where their credentials for logging into that site are stored locally in a cookie, they will discover they have to log in and type in personal information all over again. Crowt-A also installs a keylogger to record all this activity.
In addition it sets up a backdoor where it can receive instructions and send information from and to a remote attacker. Sophos describes the potential of this backdoor thus: ‘sending information about the infected computer, sending the user’s Windows address book, downloading files from remote locations and executing them, deleting files, rebooting the infected computer, setting up a command prompt that the remote user can control, acting as a proxy server, deleting files from the Windows cookies folder, popping up a messagebox, listing and terminating processes, sending emails from the infected computer, logging the user’s keystrokes, or acting as an email virus.’
‘Virus writers are always looking for new tricks to entice innocent computer users into running their malicious code; this latest ploy feeds on people’s desire for the latest news,’ said Carole Theriault, security consultant at Sophos. ‘Many people subscribe to legitimate email news updates, but the message is simple – businesses need to makes sure their anti-virus detection is constantly updated and users need to be suspicious of all unsolicited email whether it’s promising celebrity pictures or news updates.’