__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN AOL4FREE.COM Trojan Horse Program Destroys Hard Drives April 17, 1997 23:00 GMT Number H-47a ______________________________________________________________________________ PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes all files on a hard drive is circulating the Internet. PLATFORM: DOS/Windows-based PCs DAMAGE: When the AOL4FREE.COM program is executed, all files and directories on the users C: drive are deleted. SOLUTION: DO NOT execute this program. If the program starts executing, quickly pressing Ctrl-C will save some of your files. ______________________________________________________________________________ VULNERABILITY Users who download the trojaned AOL4FREE.COM program and ASSESSMENT: executes it will destroy all the files and directories on their DOS C: drive. ______________________________________________________________________________ CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard drives. ***NOTE: THIS IS DIFFERENT FROM THE AOL4FREE VIRUS WARNING HOAX MESSAGE. CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, if run, deletes all the files on a user's hard drive. If you are e-mailed this file, or if you have downloaded it from an online service, do not attempt to run it. If the program was received as an attachment to an e-mail message, do not double click (open) it. Opening an attached program runs that program, which in this case deletes all the files on your hard drive. The original AOL4FREE was a Macintosh program for fraudulently creating free AOL (America Online) accounts. Note that any attempt to use the original AOL4FREE program may subject you to prosecution. NOTE: Most antivirus programs will not detect this or other Trojan Horse programs. Detection ========= AOL4FREE.COM is a Trojan horse program that is 993 bytes (2 sectors) long. The following text is readable in the AOL4FREE.COM file if you display it with the DOS TYPE command or the DOS EDIT program. Compiled by BAT2EXEC 1.5 PC Magazine . Douglas Boling Note that this text may appear in any program compiled with the BAT2EXEC program and has nothing to do with the Trojan Horse. If you open the AOL4FREE.COM file with a disk editor or with the Windows Notepad program, the following text is found at the end of the second sector of the file. PATH COMMANDC earc /C C: /C CD\ DELTREE /y *.* ECHOOYOUR COMPUTER HAS JUST BEEN F***ED BY *VP* F*** YOU AOL-LAMER Where F*** is a common vulgar explicative. Recovery ======== Pressing Ctrl-C before the Trojan Horse finishes deleting all your files will save some of them. If the program runs to completion, all the files on your root drive will have been deleted. The files are deleted with the DOS DELTREE command, so the contents of the files are still on your hard disk, only the directory entries have been deleted. Any program that can recover deleted files will allow you to recover some or all of the files on your hard disk. While attempting to recover files, be sure to not write any new files onto the hard disk as the new files may overwrite the contents of a deleted file, making it impossible to recover. You will probably have to boot your system with a floppy and run any recovery programs from there. If you happen to have one of the delete tracking programs installed on your system (a program that keeps track of deleted files in case you want them back) the recovery operation will be relatively simple. Follow the directions in your delete tracking program to recover your files. If not, you will probably have to recover each file individually, supplying the first character of the file name, which is overwritten in the directory when the file is deleted. Most DOS/Windows disk tools programs also have the capability for recovering deleted files so follow the directions included with those programs to do so. Background ========== The original AOL4FREE Macintosh program was developed to fraudulently create free AOL accounts. The creator of that program has pleaded guilty to defrauding America Online for distributing that program. Anyone else attempting to use that program to defraud AOL could also be prosecuted. The AOL4FREE Virus Warning message has been circulating about the Internet and warns of an AOL4FREE virus infected e-mail message that infects and destroys a system when the message is read, but that warning is a hoax and not about this Trojan horse. 1. The AOL4FREE.COM program is a Trojan Horse, not a virus. It does not spread on its own. 2. A Trojan Horse must be run to do any damage. 3. Reading an e-mail message with the Trojan Horse program as an attachment will not run the Trojan Horse and will not do any damage. Note that opening an attached program from within an e-mail reader runs that attached program, which may make it appear that reading the attachment caused the damage. Users should keep in mind that any file with a .COM or .EXE extension is a program, not a document and that double clicking or opening that program will run it. Macintosh users have the additional problem that Macintosh programs do not have readable extensions, and so are more difficult to detect. Extra care should be taken to insure that you do not unintentionally execute an attached program. CIAC still affirms that reading an e-mail message, even one with an attached program, can not do damage to a system. The attachment must be both downloaded onto the system and run to do any damage. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-notes You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) H-36: Solaris 2.x CDE sdtcm_convert Vulnerability H-37: Solaris 2.x passwd buffer Overrun Vulnerability H-38A: Internet Explorer 3.x Vulnerabilities H-39: SGI IRIX fsdump Vulnerability H-40: DIGITAL Security Vulnerabilities (DoP, delta-time) H-41: Solaris 2.x eject Buffer Overrun Vulnerability H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability H-45: Windows NT SAM permission Vulnerability H-46: Vulnerability in IMAP and POP