Trojan Horse Hidden In 'Yes & No' Animated Video

Sophos reports that a malware writer is taking advantage of a popular animation that people have been e-mailing to friends for years.
Security researchers are warning users that a malware writer is infecting computers by hiding a Trojan horse inside an animated video that is being e-mailed around the world.

The Troj/Agent-FWO Trojan plays the popular "Yes & No" Shockwave video created by the Italian animator Bruno Bozzetto, according to an advisory from Sophos. The video only plays, though, after embedding itself on users' computers and downloading other pieces of malicious code.

The video has been making its way around the globe for the past several years with people forwarding it to friends and colleagues. Now, a malware writer has begun taking advantage of the trend, sending out a copy of the video that has the Trojan hidden inside.

The Trojan drops its malicious payload in the Windows System folder, according to Sophos, and is designed to create registry entries to run on startup. It also has the ability to inject code into system processes to hide itself.

"It's important to realize that the animation itself is not malicious. Thousands of artists like Bruno Bozzetto have created funny movies whose only negative can be the hours that have been spent watching them," said Graham Cluley, senior technology consultant for Sophos, in a statement. "But the Trojan horse which is playing the animation in this instance is dangerous. Troj/Agent-FWO is exploiting society's predilection for forwarding humorous animations on to friends and family in its attempt to infect as many people as possible."

The "Yes & No" animation was first posted on the Internet by Bozzetto in 2001. It's a funny take on how obeying the rules of the road can cause its own set of problems. According to Sophos, it's estimated that hundreds of thousands of people have watched the online video.

Sophos researchers reported that the Trojan plays the animation as a smokescreen to hide the fact that it's silently infecting Windows computers.