Trojan horses, once installed on a victim's computer, allow a computer criminal to control the infected system remotely. Such programs are similar to those used to launch attacks in February on Yahoo, eBay, Amazon and several other large Internet sites.
On Thursday, a Virginia-based security firm called Network Security Technologies said it had discovered that 2,000 systems around the world had been infected with a dangerous new kind of Trojan horse. Todd Waskelis, a vice president at the company, said he had observed the authors of the program in an online conversation and felt certain they were ready to use these "zombies" in a major attack.
"You are always concerned about a denial-of-service attack," he said. He described the program, which he called "Serbian Badman Trojan," as a variation of a much older Trojan horse program called "BackdoorSubSeven." Victims -- including one at Waskelis' own company -- are duped into installing the program because it appears to be a harmless video file. Waskelis said the program was particularly troublesome because anti-virus software did not detect it.
Thursday, other computer experts said another Trojan horse program fitting that description had been spotted "in the wild," earlier this week. They claimed that anti-virus programs already protection against it, and that it posed minimal risk.
The malicious-file-posing-as-video, called either "QuickFlick.mpg.exe" or "MySissy.mpg.exe," has been posted in several sexually explicit Internet newsgroups, where it's easy to lure victims into downloading videos.
The malicious program has been labeled a "low" risk by anti-virus firm Network Associates (neta).
"I can't imagine that we will see any impact at all," said Mary Landesman, marketing manager for the security firm Command Systems.
It was not immediately clear that Landesman and Waskelis were talking about the same Trojan horse, but Landesman said similarities in the two programs suggested they were one and the same.
She said infection is actually a two-step process. Victims must click on the alleged video, which starts an initial program called a "Downloader." That program instructs the victim's computer to download the real backdoor from another Internet site. By early Friday morning, that Internet site -- which was hosted by Lomag Internet Services in New Jersey -- had been shut down.
"Since the component being downloaded is BackdoorSubSeven, all anti-virus packages should detect it without requiring updates," said Landesman.
