[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Author Index][Search Archives]
AOLGOLD Trojan Alert Bulletin (fwd)
I received this via my military sources and thought I would pass it on...
Terafan
==========Original Message ==============================
A trogran program (computer virus) is being distributed around America
Online (AOL) and other networks called "AOLGOLD". Please read the
following message from the base C4 Security Office. This information
may possibly prevent you from infecting your computer (government or
home) from a virus infection.
To All -
I received this from two different certified advisory agencies which
lends alot of credence to the validity of this virus. I ask everyone
to be very careful in what you download from/thru AOL. This info
will
apply mainly to those who have this commercial service privately,
although it could effect WPAFB accounts thru the transferring of
infected files.
Ben Striks
Chief, C4 Security Branch
7-2312
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_______________________________________________________
INFORMATION BULLETIN
AOLGOLD Trojan Program
November 16, 1995 1300 PST
Number G-03
_______________________________________________________
PROBLEM: A trojan program is being distributed around America
Online and other networks called AOLGOLD.ZIP.
PLATFORM: DOS-based PCs
DAMAGE: When the INSTALL.EXE program is executed, most files
on the
users C: drive are deleted.
SOLUTION: See the description below
_______________________________________________________
________________________
VULNERABILITY ASSESSMENT: Users who download the
AOLGOLD.ZIP or INSTALL.EXE trojaned
programs, unpack, and execute them may destroy files on their
DOS C: drive.
_______________________________________________________
________________________
Information on the AOLGOLD Trojan Program
AOLGOLD Trojan
==============
The AOLGOLD Trojan program was recently discovered on America
Online (AOL). Notice about the Trojan has been circulated to all America
Online subscribers. Notice about the Trojan and a copy of the Trojan
program were supplied to CIAC by Doug Bigelow, who is on the staff of
America Online.
Apparently, an e-mail message is being circulated that contains an
attached archive file named AOLGOLD.ZIP. A README file that is in the
archive describes it as a new and improved interface for the AOL
online service. Note that there is no such program as AOLGOLD. Also,
simply reading an e-mail message or even downloading an included file
will not do damage to your machine. You must execute (or run) the
downloaded file to release the Trojan and have it cause damage.
If you unzip the archive, you get two files: INSTALL.EXE and
README.TXT. The README.TXT file again describes AOLGOLD as a
new and improved interface to the AOL online service. The
INSTALL.EXE program is a self-extracting ZIP archive. When you run
the install program, it extracts 18 files onto your hard drive:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
ADRIVE.RPT
SUSPEND.DRV
ANNOY.COM
MACRO.COM
SP-NET.COM
SP-WIN.COM
MEMBRINF.COM
DEVICE.COM
TEXTMAP.COM
HOST.COM
REP.COM
EMS2EXT.SYS
EMS.COM
EMS.SYS
README.TXT
The file list includes another README.TXT file. If you examine the
new README.TXT file, it starts out with "Ever wanted the Powers of a
Guide" and continues with some crude language. The README.TXT file
indicates that the included program is a guide program that can be used
to kick other people off of AOL.
If you stop at this point and do nothing but examine the unzipped files
with the TYPE command, your machine will not be damaged. The
following three files contain the Trojan program:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
The rest of the files included in the archive appear to have been
grabbed at random to simply fill up the archive and make it look official.
The Trojan program is started by running the INSTALL.BAT file. The
INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file
to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch
file that starts deleting the contents of several critical directories on
your C: drive, including:
c:\ c:\dos c:\windows c:\windows\system c:\qemm c:\stacker
c:\norton
It also deletes the contents of several other directories, including
those for several online services and games, such as:
c:\aol20 c:\prodigy c:\aol25 c:\mmp169 c:\cserve c:\doom c:\wolf3d
When the batch file completes, it prints a crude message on the
screen and attempts to run a program named DoomDay.EXE. Bugs in
the batch file prevent the DOOMDAY.EXE program from running. Other
bugs in the file cause it to delete itself if it is run from any drive but the
C: drive. The programming style and bugs in the batch file indicates that
the Trojan writer appears to have little programming experience.
RECOVERY:
- ---------
**WARNING** Do not copy any files onto your hard disk before trying
to recover your hard drive.
The files are deleted with the DOS del command, and can be
recovered with the DOS undelete command. The files are still on your
disk, only the directory entries have been removed. If you copy any
new files onto your hard disk, they will likely be written over the deleted
files, making it impossible to recover the deleted files.
If you have delete protection installed on your system, recovery will
be relatively easy. If not, the DOS undelete command can be used, but
you will have to supply the first letter of each file name as it is
recovered. In many cases, you will probably want to restore the
directories by reinstalling them from the original installation disks, but do
that last. You must recover any unreplaceable files first using undelete
and then replace any others by copying or reinstalling them from the
distribution disks.
To recover the system:
1. Boot the system with a clean, locked floppy containing the
recovery program for the recovery files you have installed, or the DOS
UNDELETE.EXE program if you do not have recovery files installed.
2. Type the VIRUS.BAT file to get a list of the directories the Trojan
tried to delete. Ignore any directories that don't exist on your machine.
3. Run the recovery program and recover your files. You may have
to help it find the recovery files, such as MIRROR, which will be in the
root directory. You may have to recover the MIRROR file first and then
use it to recover the other files.
If you are using only the DOS undelete command, type:
undelete directory
where directory is the name of the directory to examine. To undelete
the files in the dos directory, use:
undelete c:\dos
The undelete program will present you with a list of deleted files with
the first letter replaced with a question mark. Without delete protection,
you will have to supply this letter in order to undelete the file.
4. After you have restored as many files as you want or can using
the UNDELETE command, replace any others by reinstalling them using
the original installation disks.
The Operations staff at America Online has released the following
bulletin to their users:
- --BEGIN MESSAGE--
Dear Member:
As you know, we strive to keep you informed on various issues
regarding online safety.
We want to take this opportunity to remind you about potential
computer viruses and Trojan horses and how to protect your computer.
First, a virus is a program that is designed to spread and usually
attaches itself to a program with the goal of spreading to other
computers.
A Trojan horse is a program that is intended to corrupt your computer
but has to be activated before it can be executed. For example, a
Trojan horse can be distributed as an attached file to an email but the
file has to be downloaded and executed before harm is done.
If you receive email from unknown senders with an attached file, it is
a good rule of thumb not to download the files. In addition, if you ever
receive a file in email you believe could cause problems, please
forward it immediately to TOSEMAIL1, and explain your concerns to our
Terms of Service staff.
We have received recent inquiries regarding a Trojan horse that is
sent as an attached file in an email message entitled "AOLGOLD" and
"Install.exe". It is important to understand that no virus or Trojan horse
can be passed along by simply reading email. However, we strongly
urge that if you receive email with an attached file with this name not to
download it.
Due to the private nature of electronic mail, we cannot scan files in
email for viruses as we do with files in public areas of the service.
We have never had an occurrence of a virus or Trojan horse being
spread through simply reading email. In order for one to spread to your
computer, you would have to proactively select the attached file and
download it to your hard drive. It is therefore advisable never to
download attached files from an unknown sender.
AOL incorporates virus protection throughout the service and scans
all posted software, text, and sound files in public areas. We also offer
our members the Virus Information Center on AOL where you'll find
information about the latest virus or Trojan horse, along with updates to
all the popular commercial, shareware, and freeware anti-virus tools.
Keyword: VIRUS.
Thank you for taking an active role in maintaining a safe online
environment.
Sincerely, AOL Operations Staff
- --END MESSAGE--
_______________________________________________________
________________________
CIAC wishes to thank the staff of America Online, especially Mr. Don
Bigelow for their assistance in providing the information necessary to
prepare this bulletin.
_______________________________________________________
________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy.
CIAC is located at the Lawrence Livermore National Laboratory in
Livermore, California. CIAC is also a founding member of FIRST, the
Forum of Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer
security teams worldwide.
CIAC services are available to DOE and DOE contractors, and CIAC
can be contacted at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE and DOE contractor
sites may contact CIAC 24-hours a day. During off hours (5PM - 8AM
PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has
two Sky Page PIN numbers, the primary PIN number, 8550070, is for the
CIAC duty person, and the secondary PIN number, 8550074 is for the
CIAC Project Leader.
Previous CIAC notices, anti-virus software, and other information
are available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: (510) 423-4753 (14.4K baud)
(510) 423-3331 (9600 baud)
CIAC has several self-subscribing mailing lists for electronic
publications: 1. CIAC-BULLETIN for Advisories, highest priority - time
critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of
SPI products.
Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the following
request as the E-mail message body, substituting CIAC-BULLETIN,
CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid
information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OUHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.
This document was prepared as an account of work sponsored by
an agency of the United States Government. Neither the United States
Government nor the University of California nor any of their employees,
makes any warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference herein
to any specific commercial products, process, or service by trade
name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by the
United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government or the University of California,
and shall not be used for advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from
CIAC)
(F-21) Protecting SUN OS Systems Against SATAN (F-22) SATAN
Password Disclosure
(F-23) Protecting IBM AIX Systems Against SATAN (F-24) Protecting
SGI IRIX Systems Against SATAN (F-25) Cisco IOS Router Software
Vulnerability (F-26) OSF/DCE Security Hole
(F-27) Incorrect Permissions on /tmp
(F-28A) Vulnerability in SunOS 4.1.* Sendmail (-oR option) (G-1)
Telnetd Vulnerability
(G-2) SunOS 4.1.X Loadmodule Vulnerability
RECENT CIAC NOTES ISSUED IN FY1995 (Previous Notes available
from CIAC)
Notes 07 - 3/29/95
A comprehensive review of SATAN
Notes 08 - 4/4/95
A Courtney update
Notes 09 - 4/24/95
More on the "Good Times" virus urban legend
Notes 10 - 6/16/95
Discusses the PKZ300B Trojan, Logdaemon/FreeBSD vulnerability in
S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95
Features include a Virus Update, Hats Off to Administrators, America
On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus
Notes 12 - 9/12/95
Features include discussions on securely configuring Public
Telnet Services, X Windows and announces the beta release of Merlin,
describes the Microsoft Word Macro Viruses, and examines allegations
of Inappropriate Data Collection in Win95