New Windows Trojan causes confusion

Trend Micro isn't so sure any more that a Windows Trojan horse it discovered is really a threat.

On Wednesday, the Tokyo-based antivirus company said it had discovered a Trojan horse that used an image-rendering flaw in Windows to attack systems, a day after Microsoft had provided a fix for the vulnerability. But late Thursday, Trend Micro said its initial analysis of the Trojan might be incorrect.

"We asked another team to start the disassembly process again," said Raimund Genes, chief technologist for Trend Micro in Europe. That means researchers will reinvestigate the Trojan code to see what it does.

The Trojan is referred to as "emfsploit.a" by Trend Micro. Initially, the antivirus software maker reported that the malicious code would crash "explorer.exe" on unpatched Windows machines. Explorer runs key parts of the Windows graphical user interface, including the Start menu, taskbar, desktop and file manager.

Trend Micro has updated the entry in its antivirus encyclopedia on the Trojan. The entry no longer states that "emfsploit.a" exploits the Windows vulnerability, but instead it says that it "exhibits behavior similar to the Enhanced Metafile vulnerability of MS05-053."

"Our Trend Labs team is currently working with Microsoft to resolve whether TROJ_EMFSPLOIT.A does indeed fall under the category of code exploiting the MS05-053 vulnerability or whether it is only a related piece of code but not totally exploiting MS05-053," Genes said in an e-mail to CNET News.com.

Trend Micro has found that the Trojan does cause a crash on certain Windows XP systems, but the finding is not consistent with Microsoft's Tuesday bug report. Trend found a crash only on Windows XP computers without Service Pack 1. But according to Microsoft, the vulnerability also affects systems with SP1 and SP2, so these should crash as well if the Trojan indeed exploits the MS05-053 flaw.

Trend Micro describes the new Trojan as a "proof of concept." It received one sample of the code from a customer in Japan, but as of late Thursday the Trojan hasn't actually been detected anywhere else, Genes said. The company hence rates the overall risk "low."

The vulnerability the Trojan was thought to exploit lies in the way Windows handles certain graphics files. Microsoft provided a fix for three such flaws on Tuesday as part of its monthly patching cycle.

The Windows vulnerabilities relate to how the operating system renders the Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats, Microsoft said Tuesday in its MS05-053 security bulletin. The software maker tagged the bulletin "critical," its most serious rating.

A Microsoft representative said the company is investigating the Trojan report, but added that it is not currently aware of attacks that use it.

Microsoft urges Windows users to apply the MS05-053 update as soon as possible. However, some users of Microsoft's free Software Update Services patching tool have reported trouble in obtaining the patch.