Porn site surfers beware: A new Trojan horse is on a moral crusade to block sexually-explicit Web sites and deliver a message from the Koran instead, according to Lynnfield, Mass.-based antivirus firm Sophos.
Unlike other malware, Yusufali-A doesn't seem interested in stealing money or confidential information, said Sophos Senior Technology Consultant Graham Cluley. Its motive appears to be that of a moral guardian. "Of course, it's possible for it to make mistakes and block sites which are not pornographic, such as medical sites or social sites designed for teenagers," Cluley said in an e-mail exchange.
Yusufali-A examines the title bar of an active window to see which Web sites Windows users are visiting. If it finds a word it doesn't like -- "teen," "xx," "sex" or "penis," for example -- it minimizes the window so the user can't see its content. Then it displays a message from the Koran, an example of which can be seen on Sophos' Web site.
The Trojan will keep displaying messages as long as the offending page remains open. After awhile it will display a button labeled "For Exit Click Here." Once the button is clicked, that box will change to another with vertical bars and text that reads, "OH! NO i'm in the Cage." The box contains log off, shut down and restart buttons and the mouse pointer is locked within the box's confines. All the buttons will cause the computer to log out.
Cluley doesn't think the Trojan's crusade will have that wide a reach. "Unlike worms, it doesn't have a capability to replicate itself and so has to be manually spread by being spammed out deliberately, or people downloading it from a Web site."
He said the Trojan horse is written in visual basic and doesn't appear to be connected to any other well-known malware. "It's more of a quirky piece of malware than a significant threat," Cluley said. "Obviously, some people might construe it as a good Trojan because it blocks access to some adult sites and displays passages from the Koran. But from our point of view, no malware is good malware."
He said the Trojan horse was sent to Sophos by a customer in Iran. "It seems likely that it has a Middle Eastern connection, but is not obviously linked to anyone specifically," Cluley added.