Trojans

These malicious programs are named after the Trojan horse, which delivered soldiers into the city of Troy.

Like the horse, a Trojan program is a delivery vehicle; a program that does something undocumented which the programmer intended, but that the user would not approve of if s/he knew about it. The Trojan program appears to be a useful program of some type, but when a certain event occurs, it does something nasty and often destructive to the system.

Most of the "classic" Trojan programs were delivered to users on disks which advertised themselves as something useful. As an example, a disk that was supposed to contain Aids information was once distributed. Unfortunately, when a program on the disk was run the user's hard disk was encrypted and rendered useless. Many newer Trojan programs make their way to you as E-mail attachments with the text in the E-mail program enticing you to run the attachment.

There have been many Trojan programs and new ones crop up every day. It's important to know and trust the source of any program you receive because most anti-virus programs can't detect new Trojans. These programs, while potentially destructive, still use common DOS/Windows commands and any attempt to trigger an alert on these commands would result in massive false alarms.

Most anti-virus programs today include Trojans as soon as they are circulating as Trojans make up much of the malware in 2005/2006; but it may still be too late for you as it takes some time to update their databases. Trojans are, however, simple to avoid if you practice safe hex and just don't sucumb to the lures of the E-mails that send them to you.

Two special Trojan threats need to be mentioned for historical perspective:

ANSI Bomb (rare today)

Early text computer applications would sometimes make use of a DOS driver called ANSI.SYS to control display colors and other computer functions. As provided in DOS, ANSI.SYS also has the capability of remapping the keyboard. In order to do this all a user had to do was load ANSI.SYS in the CONFIG.SYS file and then force a particular sequence of characters, starting with the Escape key, to the screen. These would be intercepted by ANSI.SYS and the particular key on the keyboard would then be remapped to perform some defined function.

In the case of an ANSI bomb a Trojan would send a keystroke remapping sequence that might, for example, remap the F1 key to issue a command that might delete everything on the C: drive (or any other unwanted command). The solution, of course, is to not use ANSI.SYS in your CONFIG.SYS file (it's never necessary today) and make certain any ANSI simulators you might use as part of a communications program do not implement keyboard remapping.

Windows Help macros (rare but demonstrated)

The Windows Help file format allows various macros to be attached to Windows Help files. These macros can be set to run when the Help file first starts and, right now, there is no way to prevent this from happening. These macros can contain unwanted actions. As of this writing, the only example of this makes changes to your Windows INI files; but, other actions are possible. One researcher has postulated a possible Help file virus, but in looking at what would be necessary to create such a virus (it's not entirely clear it's even possible) Computer Knowledge feels the possibility of one in the wild is remote at best. Anti-virus programs do not generally protect against Windows Help file attacks so current backups are very important!

Some researchers consider a virus a particular case of a Trojan horse; others believe that if a virus does not do any deliberate damage it cannot be classed as a Trojan. In common use, most people (including Computer Knowledge) use Trojan to refer to a non-replicating malicious program.

An excellent white paper on Windows Trojans is available from Frame4 Security Systems:

• The Complete Windows Trojans Paper