Experts at SophosLabs™, Sophos's global network of virus and spam analysis centers, have warned users about a Trojan horse which tries to interrupt surfing of adult websites by displaying messages from the Koran.
The Yusufali-A Trojan horse monitors which websites Windows users are visiting by examining the title bar of the active window. If the Trojan finds a word it doesn't like (such as "teen", "xx", "sex" or "penis") it minimizes the window so the user cannot see its content and displays a message from the Koran instead:
"Unlike other malware, it appears this Trojan horse isn't trying to steal money or confidential information, but acting as a moral guardian instead - blocking viewing of websites it determines are unsavory," said Graham Cluley, senior technology consultant for Sophos. "Of course, it's possible for the Trojan horse to make mistakes and block sites which are not pornographic - such as medical sites, or social sites designed for teenagers."
The Yusufali-A Trojan horse continues to display messages if the offending website remains open, and after a while it displays a button labelled "For Exit Click Here". As soon as the mouse is moved the box changes to have vertical bars and the text 'OH! NO i'm in the Cage'. The box contains LogOff, ShutDown and Restart buttons and the mouse pointer is locked within the confines of the box. All the buttons actually cause the computer to logout.
"This Trojan horse may have been written as a joke, or as a serious attempt to clean-up the habits of internet users," continued Cluley. "Whatever the reasons behind its creations, computer users should protect their systems with up-to-date anti-virus software, security patches and a proper firewall."
Sophos users were automatically protected against the Yusufali Trojan horse yesterday. Although Sophos has not received many reports of the Trojan horse it recommends companies protect their email gateways with a consolidated solution to defend against viruses and spam. Businesses should also secure their desktop and servers with automatically updated protection.
Just as long as it doesn't block my blog.