Tuesday, May 16, 2006
A "vigilante" Trojan, that attempts to protect infected PCs from the effects of malware caught while using peer-to-peer file-sharing networks, has been discovered.
The Windows Trojan/Erazer-A Trojan looks at default folders for downloading MP3, AVI, MPEG, WMV, Gif, Zip graphic and video files, and wipes anything it finds with these extensions in the target locations.
The assumption is that because the Trojan is only deleting certain file types in specific download directories used by P2P programs -- one of the main sources of inadvertent malware infection -- it is attempting to protect those it manages to infect.
The catch is that the program also attempts to subvert certain security programs to aid its activities, which opens the user to a more general risk of infection or program instability. It also appears to steal information.
The company that first uncovered it spreading among its customers, Sophos, has dubbed it as a "vigilante" Trojan, making it an extremely rare type of malware that could have some beneficial effects.
"The Erazer Trojan is a vigilante worthy of a Charles Bronson movie, taking the law into its own hands. However, it's perfectly possible for the Trojan to aim poorly and wipe out innocent files too," commented Graham Cluley of Sophos.
Vigilante it might be, but the Trojan spreads in the same way as those pieces of malware it appears to be targeting -- via P2P file sharing. It can also, of course, be used for malicious purposes, so this is a beneficial program most users would probably not want help from.
"I don't think this was written with good intentions because it attempts to turn off security," said Cluley. There would be nothing more dangerous than for people to become accustomed to the idea of "beneficial malware" because that might create a false sense of security.