No announcement yet.

Fw: AOL4FREE Virus

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fw: AOL4FREE Virus

    > From: Joe Odenweller
    > Subject: FW: AOL4FREE Virus
    > Date: Saturday, April 19, 1997 AM 08:07
    > Thought some here may find this interesting...
    > Lots of Forwarding Info Deleted...
    > __________________________________________________ ________
    > The U.S. Department of Energy
    > Computer Incident Advisory Capability
    > ___ __ __ _ ___
    > / | /_\ /
    > \___ __|__ / \ \___
    > __________________________________________________ ________
    > AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
    > April 16, 1997 18:00 GMT Number
    > H-47
    __________________________________________________ __________________________

    > __
    > PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes
    > files on a hard drive is circulating the Internet.
    > PLATFORM: DOS/Windows-based PCs
    > DAMAGE: When the AOL4FREE.COM program is executed, all files and
    > directories on the users C: drive are deleted.
    > SOLUTION: DO NOT execute this program. If the program starts
    > executing,
    > quickly pressing Ctrl-C will save some of your files.
    __________________________________________________ __________________________

    > __
    > VULNERABILITY Users who download the trojaned AOL4FREE.COM program and
    > ASSESSMENT: executes it will destroy all the files and directories on
    > their
    > DOS C: drive.
    __________________________________________________ __________________________

    > __
    > CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard
    > drives.
    > CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, if
    > deletes all the files on a user's hard drive. If you are e-mailed this
    > file,
    > or if you have downloaded it from an online service, do not attempt to
    > it.
    > If the program was received as an attachment to an e-mail message, do not
    > double click (open) it. Opening an attached program runs that program,
    > which
    > in this case deletes all the files on your hard drive. The original
    > AOL4FREE.COM was a program for fraudulently creating free AOL (America
    > Online)
    > accounts. Note that any attempt to use the original AOL4FREE.COM program
    > may
    > subject you to prosecution.
    > NOTE: Most antivirus programs will not detect this or other Trojan Horse
    > programs.
    > Detection
    > =========
    > AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long.
    > It masquerades as the AOL4FREE program that allows the fraudulent
    > of
    > free AOL accounts. The following text is readable in the AOL4FREE.COM
    > if you display it with the DOS TYPE command or the DOS EDIT program.
    > Compiled by BAT2EXEC 1.5
    > PC Magazine . Douglas Boling
    > Note that this text may appear in any program compiled with the BAT2EXEC
    > program and has nothing to do with the Trojan Horse.
    > If you open the AOL4FREE.COM file with a disk editor or with the Windows
    > Notepad program, the following text is found at the end of the second
    > sector
    > of the file.
    > PATH
    > COMMANDC earc
    > /C C:
    > /C CD\
    > DELTREE /y *.*
    > Where F*** is a common vulgar explicative.
    > Recovery
    > ========
    > Pressing Ctrl-C before the Trojan Horse finishes deleting all your files
    > will
    > save some of them. If the program runs to completion, all the files on
    > your root drive will have been deleted. The files are deleted with the
    > DOS DELTREE command, so the contents of the files are still on your hard
    > disk, only the directory entries have been deleted. Any program that can
    > recover deleted files will allow you to recover some or all of the files
    > on your hard disk.
    > While attempting to recover files, be sure to not write any new files
    > the hard disk as the new files may overwrite the contents of a deleted
    > file,
    > making it impossible to recover. You will probably have to boot your
    > with a floppy and run any recovery programs from there.
    > If you happen to have one of the delete tracking programs installed on
    > system (a program that keeps track of deleted files in case you want them
    > back) the recovery operation will be relatively simple. Follow the
    > directions
    > in your delete tracking program to recover your files. If not, you will
    > probably have to recover each file individually, supplying the first
    > character
    > of the file name, which is overwritten in the directory when the file is
    > deleted. Most DOS/Windows disk tools programs also have the capability
    > recovering deleted files so follow the directions included with those
    > programs
    > to do so.
    > Background
    > ==========
    > The original AOL4FREE.COM program was developed to fraudulently create
    > AOL accounts. The creator of that program has pleaded guilty to
    > America Online for distributing that program. Anyone else attempting to
    > that program to defraud AOL could also be prosecuted.
    > An e-mail message was recently circulating about the Internet that warned
    > of
    > an AOL4FREE virus, but that warning is either a hoax or a badly
    > misunderstood
    > description of this Trojan Horse.
    > 1. This program is a Trojan Horse, not a virus. It does not spread on
    > own.
    > 2. A Trojan Horse must be run to do any damage.
    > 3. Reading an e-mail message with the Trojan Horse program as an
    > attachment
    > will not run the Trojan Horse and will not do any damage. Note that
    > opening an attached program from within an e-mail reader runs that
    > attached program, which may make it appear that reading the
    > caused the damage. Users should keep in mind that any file with a
    > or
    > .EXE extension is a program, not a document and that double clicking
    > opening that program will run it.
    > CIAC still affirms that reading an e-mail message, even one with an
    > attached
    > program, can not do damage to a system. The attachment must be both
    > downloaded
    > onto the system and run to do any damage.
    > CIAC, the Computer Incident Advisory Capability, is the computer
    > security incident response team for the U.S. Department of Energy
    > (DOE) and the emergency backup response team for the National
    > Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
    > National Laboratory in Livermore, California. CIAC is also a founding
    > member of FIRST, the Forum of Incident Response and Security Teams, a
    > global organization established to foster cooperation and coordination
    > among computer security teams worldwide.
    > CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
    > can be contacted at:
    > Voice: +1 510-422-8193
    > FAX: +1 510-423-8002
    > STU-III: +1 510-423-2604
    > E-mail:
    > For emergencies and off-hour assistance, DOE, DOE contractor sites,
    > and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
    > 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
    > or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
    > Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
    > duty person, and the secondary PIN number, 8550074 is for the CIAC
    > Project Leader.
    > Previous CIAC notices, anti-virus software, and other information are
    > available from the CIAC Computer Security Archive.
    > World Wide Web:
    > Anonymous FTP: (
    > Modem access: +1 (510) 423-4753 (28.8K baud)
    > +1 (510) 423-3331 (28.8K baud)
    > CIAC has several self-subscribing mailing lists for electronic
    > publications:
    > 1. CIAC-BULLETIN for Advisories, highest priority - time critical
    > information and Bulletins, important computer security information;
    > 2. CIAC-NOTES for Notes, a collection of computer security articles;
    > 3. SPI-ANNOUNCE for official news about Security Profile Inspector
    > (SPI) software updates, new features, distribution and
    > availability;
    > 4. SPI-NOTES, for discussion of problems and solutions regarding the
    > use of SPI products.
    > Our mailing lists are managed by a public domain software package
    > called Majordomo, which ignores E-mail header subject lines. To
    > subscribe (add yourself) to one of our mailing lists, send the
    > following request as the E-mail message body, substituting
    > ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
    > E-mail to or
    > subscribe list-name
    > e.g., subscribe ciac-notes
    > You will receive an acknowledgment email immediately with a confirmation
    > that you will need to mail back to the addresses above, as per the
    > instructions in the email. This is a partial protection to make sure
    > you are really the one who asked to be signed up for the list in
    > If you include the word 'help' in the body of an email to the above
    > address,
    > it will also send back an information file on how to
    > get past issues of CIAC bulletins via email, etc.
    > PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
    > communities receive CIAC bulletins. If you are not part of these
    > communities, please contact your agency's response team to report
    > incidents. Your agency's team will coordinate with CIAC. The Forum of
    > Incident Response and Security Teams (FIRST) is a world-wide
    > organization. A list of FIRST member organizations and their
    > constituencies can be obtained via WWW at
    > This document was prepared as an account of work sponsored by an
    > agency of the United States Government. Neither the United States
    > Government nor the University of California nor any of their
    > employees, makes any warranty, express or implied, or assumes any
    > legal liability or responsibility for the accuracy, completeness, or
    > usefulness of any information, apparatus, product, or process
    > disclosed, or represents that its use would not infringe privately
    > owned rights. Reference herein to any specific commercial products,
    > process, or service by trade name, trademark, manufacturer, or
    > otherwise, does not necessarily constitute or imply its endorsement,
    > recommendation or favoring by the United States Government or the
    > University of California. The views and opinions of authors expressed
    > herein do not necessarily state or reflect those of the United States
    > Government or the University of California, and shall not be used for
    > advertising or product endorsement purposes.
    > LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
    > H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
    > H-37: Solaris 2.x passwd buffer Overrun Vulnerability
    > H-38A: Internet Explorer 3.x Vulnerabilities
    > H-39: SGI IRIX fsdump Vulnerability
    > H-40: DIGITAL Security Vulnerabilities (DoP, delta-time)
    > H-41: Solaris 2.x eject Buffer Overrun Vulnerability
    > H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
    > H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
    > H-45: Windows NT SAM permission Vulnerability
    > H-46: Vulnerability in IMAP and POP
    > -----BEGIN PGP SIGNATURE-----
    > Version: 4.0 Business Edition
    > iQCVAwUBM1V5O7nzJzdsy3QZAQEdBAP/TtbGhSA3UuEScYZOcAmOmG426yP3ga7n
    > Y5FUo/8Z+am09tlchSzE5oGeNlBd2bDHFv9jnF3AtchzUPoRuLxBoSzP qh4OrYbo
    > ISNsPq4JzNNVjKVTfCW1UhvRAVtfzg/NmgdZNO038gaX1Zg9Uo1JpYuIUZw8e5XL
    > zRV+YdzlJcw=
    > =j2Ew
    > -----END PGP SIGNATURE-----