Japanese Trojan attacks P2P file-sharing pirates -- PCTECH

By Stan Beer     
Thursday, 01 March 2007  

In a case of a malware purveyor attacking pirate file-sharers, security
vendor Sophos has warned of a bizarre Trojan horse which has been
distributed on Japanese peer-to-peer file-sharing networks.

The Troj/Pirlames-A Trojan horse has been distributed on the controversial
Winny file-sharing network in Japan, posing as a screensaver. However, if
P2P users download and run the program their files are overwritten by
pictures of a popular comic book star who abuses them for using Winny and
threatens to expose them to the police if they don't stop using the system.

Programs, music files and email mailboxes are amongst the files targeted by
the Trojan horse. EXE, BAT, CMD, INI, ASP, HTM, HTML, PHP, CLASS, JAVA, DBX,
EML, MBX, TBB, WAB, HLP, TXT, MP3, XLS, LOG, BMP files are all overwritten
by images contained inside the malicious code of comic book character Ayu
Tsukimiya.

"This is one of the most bizarre pieces of malware we have seen in our labs
for quite some time, but its data-destroying payload is no laughing matter,"
said Graham Cluley, senior technology consultant for Sophos. "It acts as a
timely reminder to companies that they may want to control users' access to
P2P file-sharing software not just because they can eat up bandwidth, but
also because they can present a security risk to your corporate data."

Isamu Kaneko, the author of the Winny file-sharing program, was convicted by
a Japanese court in December 2006 for assisting in copyright violation. The
rights and wrongs of the case have been widely debated on the internet.

The Pirlames Trojan horse is not the first piece of malware to take
advantage of the Winny file-sharing network:

* In May 2006, Sophos reported that a virus had leaked power plant secrets
via Winny for the second time in four months.

* The previous month, a Japanese anti-virus company admitted that internal
documents and customer information had been leaked after one of its
employees failed to install anti-virus software.

* Earlier in 2006, Sophos described how information about Japanese sex
victims was leaked by a virus after a police investigator's computer had
been infected.

* In June 2005, Sophos reported that nuclear power plant secrets had been
leaked from a computer belonging to an employee of Mitsubishi Electric Plant
Engineering.

* The police force in Kyoto, Japan, were left with red faces after a virus
spread information about their "most wanted" suspect list in April 2004.

A survey conducted last year by Sophos reflects the serious concern that
uncontrolled applications are causing system administrators. For example,
86.5% of respondents said they want the opportunity to block P2P
applications, with 79% indicating that blocking is essential. 

Read About It
Information about Uploader-AH is located on VIL at:
http://vil.nai.com/vil/content/v_141567.htm

Detection
Uploader-AH was first discovered on February 26, 2007 and detection was
added to the 4971 dat files (Release Date: February 26, 2007).

To stay updated and protected download the latest dat files from
http://www.mcafee.com/us/downloads/index.html

If you suspect you have Uploader-AH, please submit a sample to
<http://www.webimmune.net>

Mike Grant
Bytware, Inc.
775-851-2900 

http://www.bytware.com


CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this e-mail 
message contain information that may be privileged and confidential.  This 
e-mail and any attachments are intended solely for the use of the individual or 
entity named above (the recipient) and may not be forwarded to or shared with 
any third party.  If you are not the intended recipient and have received this 
e-mail in error, please notify us by return e-mail or by telephone at 
775-851-2900 and delete this message.  This notice is automatically appended to 
each e-mail message leaving Bytware, Inc.