April 11, 2005 11:55 AM PDT

Site-blocking worm carries phishing risk

A new variant of the Crowt worm could block infected browsers from accessing Web sites belonging to some antivirus sellers, Trend Micro has warned.

Crowt.D, first discovered Wednesday, opens up the Google News site upon infection, then alters the computer's hosts file to add a list of Web site addresses, the antivirus company said in an advisory last week. When people click on one of those addresses, they are redirected to a local loopback address instead, a move that blocks access to the sites in the list. The worm restricts access to antivirus vendor sites including Trendmicro.com, Kapersky-labs.com, Sophos.com, Symantec.com and Us.mcafee.com.

Related feature
Have you been phished?
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

Trend Micro has given the worm a "low" risk rating. But Adam Biviano, senior systems engineer at the company, said the worm is noteworthy because it has the potential to send a victim to a phishing Web site even when they have manually typed in a Web address.

Phishing schemes typically use spoofed Web sites that look like they belong to a trusted provider, such as an online retailer, but are actually hosted by scammers. The sites attempt to get people to type in confidential information such as passwords and credit card numbers.

The Crowt.D infection's ability to redirect people from one Web site to another is especially dangerous when it involves an online banking service, Biviano said.

"Banks are telling their customers to type their specific Web site address into the browser. However, if the host file has been compromised, then even if the URL is typed in, the browser will still go to the phishing Web site," Biviano said.

Biviano said the Crowt variant can redirect people, regardless of which browser they use.

"It uses the Windows associations to launch a file, so it will open your default browser," he said. The worm affects Microsoft Windows 95, 98, ME, NT, 2000 and XP, and spreads by sending itself out to e-mail addresses found in the Windows Address Book.

DNS poisoning is another method that is being used by hackers to try to redirect Internet users to fraudulent Web sites. On Wednesday, Microsoft advised customers who use its server software to reconfigure their settings to avoid such attacks.

Munir Kotadia of ZDNet Australia reported from Sydney.


Join the conversation!
Add your comment
What's so new about that?
Anything that can alter the hosts file has the ability to used for phishing. Nothing new in that.

Again the same story. Why is a file like this not better protected...
Posted by Steven N (487 comments )
Reply Link Flag
how do i fix this?
my friend has gotten this virus. is there a removal tool that i can get to help him remove it?
Posted by jigibut (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.