Photo with Trojan
10 Sep 2002
A Trojan has been detected, in a commercial product for processing graphic software, that destroys files on the Windows system directory
Kaspersky Lab reports the detection of a Trojan horse, FireAnvil, embedded in a commercial product from US company, Firehand Technologies Corporation.
"Firehand Ember Millennium" is a software program for viewing and editing graphic files and is sold via Internet on the site www.firehand.com. Trojan subprograms have been detected in two files of the product:
Ember32.exe - the main file of the product
fireutil.dll - library
The program is activated when the text "czy czy" is entered in the field "Registered User ID".
Registered User ID: [_________]
Registration Key: [_________]
As the Trojan program is activated the following message is displayed:
CrAcKiNg SoFtWaRe! PlEaSe WaIt!
Then FireAnvil searches for the Windows system directory and writes the following text into the registry of all of the files within the directory:
CzY CrAcKiNg CrUe! We CrACk EvErYtHiNg!
As a result of the program's destructive function, when activated, all of the files of the Windows system directory are destroyed with no possibility of restoring them.
"Unfortunately, this is not the only instance where a software product has been marketed without checking it thoroughly for hidden "trojans". On the other hand, this is additional proof for the perfidy of the latest generation malware, which is sometimes very hard to detect. Hopefully, this incident will force all software developers to pay more attention to the security problems of their users," says Eugene Kaspersky, Head of Anti-Virus Research of Kaspersky Lab.
Protection procedures against FireAnvil have been added to the Kaspersky Anti-Virus data bases.