Getting headline news sent via e-mail is a common activity that a new
worm in the wild is hoping to take advantage of. Security firm Sophos
this week reported the discovery of a worm that takes headlines from the
CNN Web site and attempts to install a Trojan on the recipient’s PC.
Sophos has called the worm Crowt-A(W32/Crowt-A). In addition to taking
the subject from the CNN news site, it also takes message text,
which further helps create the fagade of legitimacy. As with many worms,
the malicious code is contained in an attachment that is used to deploy its
In the case of Crowt-A that payload is a Trojan keylogger that logs and
then sends the user’s keystrokes to a remote address. The Trojan also provides
a backdoor allowing an attacker remote access to the infected machine.
The worm propagates by its own e-mail engine to addresses found in the
Windows address book or even the Windows internet cache folder. The forged
headers that the worm creates, however, make it appear as though the e-mail was
sent via Microsoft Outlook Express.
“Virus writers are always looking for new tricks to entice innocent
computer users into running their malicious code; this latest ploy feeds
on people’s desire for the latest news,” said Carole Theriault, security
consultant at Sophos, in a statement. “Many people subscribe to legitimate
e-mail news updates, but the message is simple — businesses need to make
sure their anti-virus detection is constantly updated, and users need to be
suspicious of all unsolicited e-mail whether it’s promising celebrity pictures
or news updates.”
In other security news, Cisco issued
an advisory this week about a vulnerability in its Internetwork Operating System (IOS).
The advisory addresses all Cisco devices running any
unfixed version of Cisco IOS code that supports
and is configured for Cisco IOS Telephony Service (ITS), Cisco CallManager
Express (CME) or Survivable Remote Site Telephony (SRST).
According to Cisco, successful exploitation of the vulnerability may result
in a device reload. Repeated exploitation could result in a Denial-of-Service
Free software upgrades to address the issue are available through the
Cisco update channel.