A new Trojan horse has surfaced that appears to be searching for login, username and password information, Microsoft and antivirus vendors warned last week.
Called the Y2K Countdown or Polyglot Trojan, the potentially malicious code comes as an attachment called Y2KCOUNT.EXE in an e-mail claiming to be from Microsoft. It spoofs the return address "firstname.lastname@example.org" and uses the subject "Microsoft Announcement."
Microsoft has warned users to delete the message without opening it.
The text of the message "announces" something it calls the Microsoft Year 2000 Counter and urges users to run the software attachment.
Once the file is executed, a WinZip self-extracting dialog box and fake message box appear, containing this line: Password protection error or invalid CRC32!, according to Trend Micro, an antivirus software vendor.
The Trojan horse then places four files -- PROCLIB.DLL, PROCLIB.EXE, PROCLIB16.DLL and SVSRV.DLL -- into the Windows System directory of an infected machine and overwrites the contents of WSOCK32.DLL.
The altered software affects files that control communications with the Internet, and searches for the words "password," "login" and "username" in incoming and outgoing mail, Trend Micro said.
Carey Nachenberg, chief researcher at Symantec's Anti-Virus Centre (SARC), said SARC is still analysing what Y2K Countdown exactly does and where it sends the information it finds. So far, Symantec has only received three customer inquiries about Y2KCOUNT.EXE.
Network Associates' AVERT Research Centre reported receiving 10-20 calls from customers over Y2K Countdown. Vincent Gullotto, director of AVERT Labs, said the Trojan horse is in an early stage and doesn't appear to be spreading quickly. The lab has tried to reproduce Y2K Countdown, but with no luck so far, he said. It will continue to look into the Trojan horse.
Meanwhile, Microsoft posted a warning on its Web site, telling users the e-mail is a hoax and the software mentioned doesn't exist.
"I wouldn't say panic, but if you receive an attachment with [the] Y2KCOUNT.EXE file, I would think twice about running it," Nachenberg said.