[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Author Index][Search Archives]

AOLGOLD Trojan Alert Bulletin (fwd)

I received this via my military sources and thought I would pass it on...


==========Original Message ==============================

A trogran program (computer virus) is being distributed  around America
Online (AOL) and other networks called  "AOLGOLD".  Please read the
following message from the  base C4 Security Office.  This information
may possibly  prevent you from infecting your computer (government or 
home) from a virus infection. 

     To All - 
     I received this from two different certified  advisory agencies which 
     lends alot of credence to the validity of this  virus.  I ask everyone 
     to be very careful in what you download from/thru  AOL.  This info
     apply mainly to those who have this commercial  service privately, 
     although it could effect WPAFB accounts thru the  transferring of 
     infected files.    
     Ben Striks
     Chief, C4 Security Branch
                       The U.S. Department of Energy
                    Computer Incident Advisory  Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN
       AOLGOLD Trojan Program
      November 16, 1995 1300 PST                             
             Number G-03 

      PROBLEM:        A trojan program is being distributed  around America
  Online and other networks called AOLGOLD.ZIP.
DAMAGE:         When the INSTALL.EXE program is  executed, most files
on the
  users C: drive are deleted.
SOLUTION:       See the description below 
      VULNERABILITY    ASSESSMENT:     Users who download the
  programs, unpack, and execute them may destroy files  on their 
  DOS C: drive.
    Information on the AOLGOLD Trojan Program
      AOLGOLD Trojan
      The AOLGOLD Trojan program was recently discovered on  America
Online (AOL).  Notice about the Trojan has been circulated to all  America
Online  subscribers.  Notice about the Trojan and a copy of the  Trojan
program were  supplied to CIAC by Doug Bigelow, who is on the staff  of
America Online.
      Apparently, an e-mail message is being circulated that  contains an
attached  archive file named AOLGOLD.ZIP.  A README file that is  in the
archive  describes it as a new and improved interface for the  AOL
online service.  Note that there is no such program as AOLGOLD.  Also, 
simply reading an  e-mail message or even downloading an included file 
will not do damage to  your machine.  You must execute (or run) the
downloaded  file to release  the Trojan and have it cause damage.
      If you unzip the archive, you get two files:  INSTALL.EXE and
README.TXT.  The README.TXT file again describes AOLGOLD as a
new  and improved interface to the AOL online service.  The
INSTALL.EXE program is  a self-extracting ZIP  archive.  When you run
the install program, it extracts  18 files onto your  hard drive:
      The file list includes another README.TXT file. If you  examine the
new  README.TXT file, it starts out with "Ever wanted the  Powers of a
Guide" and  continues with some crude language.  The README.TXT  file
indicates that the  included program is a guide program that can be used
to  kick other people  off of AOL.
      If you stop at this point and do nothing but examine  the unzipped files
 with the TYPE command, your machine will not be  damaged.  The
following  three files contain the Trojan program:
      The rest of the files included in the archive appear to  have been
grabbed  at random to simply fill up the archive and make it  look official.
      The Trojan program is started by running the  INSTALL.BAT file.  The 
INSTALL.BAT file is a simple batch file that renames  the VIDEO.DRV file
to  VIRUS.BAT and then runs it.  VIDEO.DRV is an amateurish  DOS batch
file that  starts deleting the contents of several critical  directories on
your C:  drive, including:
      c:\ c:\dos c:\windows c:\windows\system c:\qemm c:\stacker
      It also deletes the contents of several other  directories, including
those  for several online services and games, such as:
      c:\aol20 c:\prodigy c:\aol25 c:\mmp169 c:\cserve c:\doom c:\wolf3d
      When the batch file completes, it prints a crude  message on the
screen and  attempts to run a program named DoomDay.EXE.  Bugs in 
the batch file prevent  the DOOMDAY.EXE program from running.  Other
bugs in  the file cause it to  delete itself if it is run from any drive but the
C:  drive.  The programming  style and bugs in the batch file indicates that
the  Trojan writer appears to have little programming experience.
- ---------
      **WARNING** Do not copy any files onto your hard disk  before trying
to  recover your hard drive.
      The files are deleted with the DOS del command, and can  be
recovered with  the DOS undelete command.  The files are still on your 
disk, only the  directory entries have been removed.  If you copy any 
new files onto your  hard disk, they will likely be written over the deleted 
files, making it  impossible to recover the deleted files.
      If you have delete protection installed on your system,  recovery will
be  relatively easy.  If not, the DOS undelete command can  be used, but
you will  have to supply the first letter of each file name as it  is
recovered.  In  many cases, you will probably want to restore the 
directories by  reinstalling them from the original installation disks,  but do
that last.  You must recover any unreplaceable files first using  undelete
and then  replace any others by copying or reinstalling them from  the
distribution  disks.
      To recover the system:
      1. Boot the system with a clean, locked floppy  containing the
recovery  program for the recovery files you have installed, or  the DOS
UNDELETE.EXE  program if you do not have recovery files installed.
      2. Type the VIRUS.BAT file to get a list of the  directories the Trojan 
tried to delete. Ignore any directories that don't  exist on your machine.
      3. Run the recovery program and recover your files. You  may have
to help it  find the recovery files, such as MIRROR, which will be  in the
root  directory. You may have to recover the MIRROR file  first and then
use it to  recover the other files.
      If you are using only the DOS undelete command, type:
   undelete directory
      where directory is the name of the directory to  examine. To undelete
the  files in the dos directory, use:
   undelete c:\dos
      The undelete program will present you with a list of  deleted files with
the  first letter replaced with a question mark. Without  delete protection,
you  will have to supply this letter in order to undelete  the file.
      4. After you have restored as many files as you want or  can using
the  UNDELETE command, replace any others by reinstalling  them using
the  original installation disks.
      The Operations staff at America Online has released the  following 
bulletin to their users:
      - --BEGIN MESSAGE--
      Dear Member:
      As you know, we strive to keep you informed on various  issues
regarding  online safety.
      We want to take this opportunity to remind you about  potential
computer  viruses and Trojan horses and how to protect your  computer.
 First, a virus  is a program that is designed to spread and usually 
attaches itself to a  program with the goal of spreading to other
 A Trojan horse is a  program that is intended to corrupt your computer
but  has to be activated  before it can be executed.  For example, a
Trojan horse  can be distributed as  an attached file to an email but the
file has to be  downloaded and executed  before harm is done.
      If you receive email from unknown senders with an  attached file, it is
a good  rule of thumb not to download the files.  In addition,  if you ever
receive a  file in email you believe could cause problems, please 
forward it immediately  to TOSEMAIL1, and explain your concerns to our
Terms of  Service staff.
      We have received recent inquiries regarding a Trojan  horse that is
sent as an  attached file in an email message entitled "AOLGOLD"  and
"Install.exe". It is  important to understand that no virus or Trojan horse 
can be passed along by  simply reading email.  However, we strongly
urge that  if you receive email  with an attached file with this name not to
download  it.
      Due to the private nature of electronic mail, we cannot  scan files in
email  for viruses as we do with files in public areas of the  service.
      We have never had an occurrence of a virus or Trojan  horse being
spread  through simply reading email.  In order for one to  spread to your
computer,  you would have to proactively select the attached file  and
download it to  your hard drive.  It is therefore advisable never to 
download attached files  from an unknown sender.
      AOL incorporates virus protection throughout the  service and scans
all posted  software, text, and sound files in public areas. We  also offer
our members  the Virus Information Center on AOL where you'll find 
information about the  latest virus or Trojan horse, along with updates to
all  the popular  commercial, shareware, and freeware anti-virus tools.  
Keyword: VIRUS.
      Thank you for taking an active role in maintaining a  safe online
      Sincerely,  AOL Operations Staff
      - --END MESSAGE--
      CIAC wishes to thank the staff of America Online,  especially Mr. Don
Bigelow  for their assistance in providing the information necessary  to
prepare this  bulletin.
      CIAC, the Computer Incident Advisory Capability, is the  computer
security  incident response team for the U.S. Department of  Energy.
CIAC is located at  the Lawrence Livermore National Laboratory in 
Livermore, California. CIAC is  also a founding member of FIRST, the
Forum of Incident  Response and Security  Teams, a global organization
established to foster  cooperation and  coordination among computer
security teams worldwide. 
      CIAC services are available to DOE and DOE contractors,  and CIAC
can be  contacted at:
    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov
      For emergencies and off-hour assistance, DOE and DOE  contractor
sites may  contact CIAC 24-hours a day. During off hours (5PM -  8AM
PST), call the CIAC  voice number 510-422-8193 and leave a message,
or call  800-759-7243  (800-SKY-PAGE) to send a Sky Page. CIAC has
two Sky  Page PIN numbers, the  primary PIN number, 8550070, is for the
CIAC duty  person, and the secondary  PIN number, 8550074 is for the
CIAC Project Leader.
      Previous CIAC notices, anti-virus software, and other  information
are  available from the CIAC Computer Security Archive. 
   World Wide Web: http://ciac.llnl.gov/ 
   Anonymous FTP:  ciac.llnl.gov ( 
   Modem access:   (510) 423-4753 (14.4K baud)
                   (510) 423-3331 (9600 baud)
      CIAC has several self-subscribing mailing lists for  electronic
publications:  1. CIAC-BULLETIN for Advisories, highest priority -  time
critical information 
   and Bulletins, important computer security  information;
2. CIAC-NOTES for Notes, a collection of computer  security articles;
3. SPI-ANNOUNCE for official news about Security  Profile Inspector
   software updates, new features, distribution and  availability;
4. SPI-NOTES, for discussion of problems and solutions  regarding the
use of 
   SPI products.
      Our mailing lists are managed by a public domain  software package
called  ListProcessor, which ignores E-mail header subject  lines. To
subscribe (add  yourself) to one of our mailing lists, send the  following
request as the  E-mail message body, substituting CIAC-BULLETIN, 
CIAC-NOTES, SPI-ANNOUNCE or  SPI-NOTES for list-name and valid
information for  LastName FirstName and  PhoneNumber when sending
      E-mail to ciac-listproc@llnl.gov:
 subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OUHara, Scarlett W.  404-555-1212 x36
      You will receive an acknowledgment containing address,  initial PIN,
and  information on how to change either of them, cancel  your
subscription, or  get help. 
      PLEASE NOTE: Many users outside of the DOE and ESnet  computing
communities  receive CIAC bulletins.  If you are not part of these 
communities, please  contact your agency's response team to report 
incidents. Your agency's team  will coordinate with CIAC. The Forum of
Incident  Response and Security Teams  (FIRST) is a world-wide
organization. A list of FIRST  member organizations and  their
constituencies can be obtained by sending email  to docserver@first.org 
with an empty subject line and a message body  containing the line: send
      This document was prepared as an account of work  sponsored by
an agency of the  United States Government. Neither the United States 
Government nor the  University of California nor any of their employees, 
makes any warranty,  express or implied, or assumes any legal liability or
 responsibility for the  accuracy, completeness, or usefulness of any 
information, apparatus, product,  or process disclosed, or represents
that its use would  not infringe privately  owned rights. Reference herein
to any specific  commercial products, process, or  service by trade
name, trademark, manufacturer, or  otherwise, does not  necessarily
constitute or imply its endorsement,  recommendation or favoring by  the
United States Government or the University of  California. The views and 
opinions of authors expressed herein do not necessarily  state or reflect
those  of the United States Government or the University of  California,
and shall not  be used for advertising or product endorsement  purposes.
      LAST 10 CIAC BULLETINS ISSUED (Previous bulletins  available from
      (F-21)  Protecting SUN OS Systems Against SATAN  (F-22)  SATAN
Password Disclosure
(F-23)  Protecting IBM AIX Systems Against SATAN  (F-24)  Protecting
SGI IRIX Systems Against SATAN  (F-25)  Cisco IOS Router Software
Vulnerability  (F-26)  OSF/DCE Security Hole
(F-27)  Incorrect Permissions on /tmp
(F-28A) Vulnerability in SunOS 4.1.* Sendmail (-oR  option)  (G-1)  
Telnetd Vulnerability
(G-2) SunOS 4.1.X Loadmodule Vulnerability
      RECENT CIAC NOTES ISSUED IN FY1995 (Previous Notes  available
from CIAC)
      Notes 07 - 3/29/95
A comprehensive review of SATAN
      Notes 08 - 4/4/95
A Courtney update
      Notes 09 - 4/24/95
More on the "Good Times" virus urban legend
      Notes 10 - 6/16/95
Discusses the PKZ300B Trojan, Logdaemon/FreeBSD  vulnerability  in
S/Key, EBOLA Virus Hoax, and Caibua Virus
      Notes 11 - 7/31/95
Features include a Virus Update, Hats Off to  Administrators,  America
On-Line Virus Scare, SPI 3.2.2 Released, The  Die_Hard Virus
      Notes 12 - 9/12/95
Features include discussions on securely configuring  Public
Telnet Services, X Windows and announces the beta  release of Merlin, 
describes the Microsoft Word Macro Viruses, and  examines allegations 
of Inappropriate Data Collection in Win95