Trojan Horse Attacks

by Joseph Lo, Ph.D. aka Jolo, with much help from countless others
This page is part of IRChelp.org's security section at http://www.irchelp.org/irchelp/security/
updated Jun 4, 2000

Contents:

Appendices:

I. What is a Trojan horse?

Trojan horse attacks pose one of the most serious threats to computer security. This page will teach you how to avoid falling prey to them, and how to repair the damage if you already did. According to legend, the Greeks won the Trojan war by hiding in a huge, hollow wooden horse to get into the fortified city of Troy. In today's computer world, a Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign" such as a screen saver, game, or attack. The most (in)famous Trojan horse was the so-called "Love Bug" in May 2000 [news story]. If this apparent love letter was opened, it would unleash a slew of problems, such as sending itself to everybody on your email address book or IRC channel, erasing or modifying your files, and downloading another Trojan horse program designed to steal your passwords. Many Trojan horses also allow crackers (aka "hackers") to take over your computer and "remote control" it, such as to take over your IRC channels or use your computer to perform denial of service attacks like those that disrupted web sites of Yahoo and Amazon [news story].

Many people use terms like Trojan horse, virus, worm, and hacking all interchangeably, but they really don't mean the same thing. If you're curious, here's a quick primer defining and distinguishing them. Let's just say that once you are "infected", trojans are just as dangerous as viruses and can spread to hurt others just as easily!

The following general information applies to all operating systems, but the specific trojan descriptions and fixes are for Windows only, since that is by far where the most damage is done.

II. How did I get infected?

Trojans are executable programs, which means that when you open the file, it will run and perform some action(s). In Windows, executable programs have file extensions like "exe", "vbs", "com", "bat", "pif", "scr", "lnk", or "js". Some actual trojan filenames include: "dmsetup.exe", "Movie.avi.pif", and "LOVE-LETTER-FOR-YOU.TXT.vbs" (when there are multiple extensions, only the last one counts, be sure to unhide your extensions so that you see it). More information on risky file extensions may be found at this Microsoft document.

Trojans can be spread in the guise of literally ANYTHING people find desirable, such as a free game, nude picture, mp3 song, etc. You probably downloaded the trojan from a WWW or FTP archive, ICQ file exchange, or through IRC's DCC file transfer (manually or, worst yet, an "auto DCC get" feature). Typically you must run the trojan manually. You may have known it was an executable but thought it was something else, been fooled by a hidden file extension, or just gotten careless and clicked on it. Trojans usually do their damage silently over your disk or network. The first sign of trouble is often when others tell you that you are trying to send them some trojan!

III. How do I avoid getting infected in the future?

You must be certain of BOTH the source AND content of each file you download! In other words, you need to be sure that you trust not only the person or file server that gave you the file, but also the contents of the file itself.

Here are some practical tips to avoid getting infected (again).

  1. NEVER download blindly from people or sites which you aren't 100% sure about. In other words, as the old saying goes, don't accept candy from strangers. If you download commercial games or other software from "warez" sources, you are not only breaking copyright laws, it's also just a matter of time before you fall victim to a trojan.
  2. Even if the file comes from a friend, you still must be sure what the file is before opening it (as Melissa and the "Love Bug" proved). Remember, just opening a trojan (by double clicking, previewing, etc.) unleashes its damage. In general, there is no reason for even a friend or colleague to send you an executable. When in doubt, ask them first.
  3. Beware of hidden file extensions! Windows by default hides the last extension of a file, so that innocuous-looking picture "susie.jpg" might really be "susie.jpg.exe" - an executable trojan! To avoid being tricked, unhide those pesky extensions.
  4. NEVER use features in your programs that automatically get or preview files. Those features may seem convenient, but they let anybody send you anything, not just dangerous trojans but also pornography, huge files to tie up your bandwidth and fill your disk, etc. For example, never turn on "auto DCC get" in mIRC, instead ALWAYS screen every single file you get manually. Likewise, disable the preview mode in Outlook and other mail programs.
  5. Never blindly type commands that others tell you to type, or run pre-fabricated programs or scripts (not even popular ones). If you do so, you are potentially trusting a stranger with control over your computer, which can lead to trojan infection or other serious harm.
  6. Don't be lulled into a false sense of security just because you run anti-virus programs, which do not protect perfectly against many viruses and trojans, even when fully up to date. Anti-virus programs should not be your front line of security, but instead they serve as a backup in case something evil sneaks onto your computer.
  7. Finally, don't download an executable program just to "check it out" - if it's a trojan, the first time you run it, you're already infected!

IV. How do I get rid of trojans?!?

Here are your many options, none of them are perfect. I strongly suggest you read through all of them before rushing out and trying to run some program blindly. Remember - that's how you got in this trouble in the first place. Good luck!

  1. Clean Re-installation: Although arduous, this will always be the only sure way to eradicate a trojan. Back up your entire hard disk, reformat the disk, re-install the operating system and all your applications from original CDs, and finally, if you're certain they are not infected, restore your user files from the backup. If you are not up to the task, you can pay for a professional repair service to do it.

  2. Commercial Anti-Virus Software: These can handle many of the better known trojans. You absolutely MUST make sure you go and download the very latest update files for your programs, or else they will miss the latest trojans. Even when fully updated, anti-virus programs are never perfect, no matter what their advertising claims. Compared to traditional viruses, today's trojans evolve much quicker and come in many seemingly innocuous forms, so anti-virus software is always going to be playing catch up. (Remember the mad dash to get the patch for the "Love Bug" after it already damaged many of your files, and how it kept mutating in just a few days, each time requiring another new patch?) Finally, if they fail to find every trojan, anti-virus software can give you a false sense of security, such that you go about your business not realizing that you are still dangerously compromised. Some decent products include: AVP, Norton AntiVirus, and McAfee VirusScan. Most are available for immediate downloading with 30 day free trials.

  3. Shareware Anti-Trojan Programs: For the same reasons, some of these programs are effective against some trojans, but none of them will ever be effective against all trojans. There is added uncertainty since these shareware programs don't have the resources and reputation of a major commercial software company standing behind them. For example, how do you know the trojan remover isn't a trojan itself? Some decent choices include: The Cleaner, $19.95 shareware.

  4. IRC Help Channels: If you're the type that needs some hand-holding, you can find trojan/virus removal help on IRC, such as #dmsetup or #HackFix on EFnet. These experts will try to figure out which trojan(s) you have and offer you advice on how to fix it, such as by using their own anti-trojan scripts. (See our networks list if you need help connecting to those networks.)

  5. WWW Help Sites: For the do-it-yourselfers, some of the more established trojans can be eradicated if you follow specific directions. These instructions assume you are reasonably computer savvy (and just got infected "by accident", heh). Just about every trojan with a known fix is cataloged at the HackFix Project, which is the home page for EFnet #hackfix. We also have our own partial list of specific fixes for trojans. There's so much information at these sites, however, it may be hard to find a specific fix unless you already know the name of the specific trojan. In some cases, that is just the name of the file that others are accusing you of distributing by email/IRC/whatever. Unfortunately, the newer trojans are typically much more damaging and there are often no easy ways to fix them. Naturally, all the caveats above with anti-virus and anti-trojan programs also apply.

Appendices:

These files were referred to in the text above, and provide additional information.


-navigational bar-
[ go back | search | help | send email ]

all pages IRCHELP.ORG or original authors