Koran-Spouting Trojan Is First Example of Moralityware

Malicious software monitors IE title bar and displays religious warning and freezes system whenever user visits a porn-like site.

A new Trojan horse program that first appeared in Iran may be the start of a new malicious code trend that might be termed "moralityware," according to antivirus company Sophos PLC.

The malicious software, dubbed Yusufali.A, contains a feature that monitors which Web sites a user visits. The program springs to action when the browser loads Web sites with addresses that contain certain words, like "teen," "sex," or "exhibitionism," displaying a message from the Koran. The program is considered a low-level threat but may be the first example of malicious software acting as a "moral guardian" for Web surfers, said Greg Mastoras, a senior security analyst at Sophos in the U.S.

The new Trojan is distributed as an e-mail attachment and only affects Web surfers who use Microsofts Internet Explorer Web browser.

The program works by monitoring the Internet Explorer title bar, which displays the name of Web sites that are displayed. When a Web surfer visits a page with a keyword in its title, the Trojan springs into action. It minimizes the current browser Window and displays a message in a number of languages, including Arabic and English, that reads, in part: "YUSUFALI: Know, therefore, that there is no god but Allah, and ask forgiveness for thy fault, and for the men and women who believe," the company said.

/zimages/2/28571.gifSymantec patches corporate anti-virus. Click here to read more.

The message is displayed as long as the IE window containing the offensive Web page is left open. Eventually, a second window appears that traps a users mouse curser, requiring the infected system to be rebooted, Sophos said.

Sophos first identified Yusufali on Sept. 4 after a customer in Iran submitted it to the companys virus researchers, Mastoras said.

The Trojan is not sophisticated and doesnt attempt to spread or install other malicious software on machines it infects, Sophos said. Other antivirus vendors, including F-Secure Corp. and Symantec Corp. did not list the Yusufali Trojan.

Sophos has issued a software update that allows its customers to stop the new Trojan, Mastoras said.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.