October 06, 2004, 11:40 AM — A new Trojan horse program that attacks and removes troublesome advertising software, known as "adware," is circulating on the Internet, according to antivirus company Symantec Corp.
The program, called Downloader.Lunii, was discovered on Monday. When run, it attempts to kill off computer processes and delete files used by common adware programs like Powerscan and BargainBuddy. However, Lunii is not entirely benevolent. Like other Trojan horse programs, it also modifies the configuration of Microsoft Windows machines and attempts to download files from a remote location, Symantec warned.
Trojan horse programs are a part of a growing problem related to surreptitious monitoring and remote access programs on the Internet, which are often referred to as "spyware." The programs can be unwittingly installed by users who open e-mail file attachments, or click on links in e-mail messages or on Web sites that download and install the programs on the user's computer.
Unlike viruses and worms, Trojan horse programs do not try spread from machine to machine after they are installed. Instead, the programs run quietly in the background of the systems they infect, providing remote attackers with access to compromised machines.
Lunii works by halting Windows processes that adware programs use to communicate and by removing known adware programs from systems it infects. The Trojan program also modifies a Windows file called the "hosts" file, inserting its own list of bogus Web sites, which may block access to certain Web pages, Symantec said.
Lunii was rated a low threat by Symantec, which released an antivirus signature to detect the Trojan on Monday.
The proliferation of spyware programs in the last year has been linked to the growth of organized criminal groups that pursue illicit gain through identity theft, extortion and other online scams, often using spyware programs to steal data or hijack compromised machines to use in online denial of service attacks.
The problem has attracted the attention of U.S. lawmakers. The U.S. House of Representatives voted 399-1 Tuesday to pass a bill dubbed the SPY ACT (Securely Protect Yourself Against Cyber Trespass), which makes it illegal to download programs onto other users' computers without their permission, hijack someone's computer or modify its configuration settings.
Symantec recommended that its customers update their virus definitions to detect Lunii and provided instructions for removing malicious programs once they are installed. (See: http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html.)
