Sophos warns video watchers of hidden horse

Security firm Sophos is warning online users of a newly detected trojan that disguises its malicious payload with a humorous animation.

  • E-Mail
By  Cleona Godinho Published  June 28, 2007

Security firm Sophos is warning online users of a newly detected trojan that disguises its malicious payload with a humorous animation.

According to an advisory from Sophos, the ‘Troj/Agent-FWO' trojan plays the popular ‘Yes & No' Shockwave video created by the Italian animator Bruno Bozzetto. However, the video only plays after embedding itself on users' machines and downloading other pieces of malicious code.

The animation has been making its way around the globe for the past several years with people forwarding it to friends and colleagues. Now, a malware writer has begun taking advantage of the trend, sending out a copy of the video that has the trojan hidden inside.

The trojan drops its malicious code in the Windows System folder, according to Sophos, and is designed to create registry entries to run on startup. It also has the ability to inject code into system processes to hide itself.

"It's important to realise that the animation itself is not malicious. Thousands of artists like Bruno Bozzetto have created funny movies whose only negative can be the hours that have been spent watching them," stated Graham Cluley, senior technology consultant for Sophos. "But the trojan horse which is playing the animation in this instance is dangerous. Troj/Agent-FWO is exploiting society's predilection for forwarding humorous animations on to friends and family in its attempt to infect as many people as possible."

Published on the internet by Bozzetto in 2001, 'Yes & No' is a humorous video about how obeying the rules of the road does not always make sense. Hundreds of thousands of people are believed to have watched the online animation.

Sophos experts reported that the trojan plays the animation as a smokescreen to hide the fact that it's silently infecting the victim's PC.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code