NEWS FROM THE LAB - Thursday, October 25, 2007

Mudslinging Malware Posted by Sean @ 13:02 GMT

Malware Attempts to Affect Kenyan Elections

Most of the day-to-day malware that we currently analyze has a financial motive. Such malware typically doesn't do anything noticeably malicious as it doesn't want to tip-off the victim.

But every now and then, we see something that's just plain nasty. Yesterday, Marko analyzed such a sample that we now detect as Trojan:W32/Agent.DPL.

This particular piece of malware appears to have a political rather than financial motive. A system infected with Agent.DPL displays the following message when Windows starts:


And it attempts to connect to www.kalonzomusyokaforpresident.com.

Kalonzo Musyoka for President

The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka. He launched his presidential campaign on October 14, 2007. Kenyan elections will be held in December. Note that the malware quotes Francis rather than Stephen.

Agent.DPL hacks the registry so that the user is unable to locate key Windows functions. This image shows the missing Control Panel icon as well as a few other things.


If any Control Panel apps are launched from another location, they'll be shut down by the malware.

Our guess is that by making the computer next to useless, Musyoka's detractors hope to shift the blame to him. But then again we don't know that much about the political situation in Kenya…

Our description — Trojan:W32/Agent.DPL — provides additional details, including an unusually easy way to disable it.