[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AOGOLD Trojan Program



     FYI.  Thanks.
     
     ... Kev
     

Kevin P. Knox, SSgt, USAF

Systems Administrator, IP Network Manager
Novell Certified NetWare Engineer

Royal Air Force Croughton, United Kingdom
Near Brackley, Northamptonshire

My PGP public key can be obtained via anonymous FTP from
nsc.croughton.af.mil (131.56.128.5)


     
     
     From:             [email protected]
     Subject:          ASSIST 95-46, AOLGOLD Trojan Program.
     To:               [email protected]
     Date sent:        Mon, 4 Dec 1995 16:06:54 -0500 (EST)
     Copies to:        [email protected]
     
     
     -----BEGIN PGP SIGNED MESSAGE-----
     
     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
         
               Automated Systems Security Incident Support Team
                                                     _____
                  ___   ___  _____   ___  _____     |     /
           /\    /   \ /   \   |    /   \   |       |    / Integritas
          /  \   \___  \___    |    \___    |       |   <      et
         /____\      \     \   |        \   |       |    \ Celeritas
        /      \ \___/ \___/ __|__  \___/   |       |_____\
     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
         
                            Bulletin  95-46
      
            Release date: 4 December, 1995, 4:00 PM EST (GMT -5)
     
     SUBJECT: AOLGOLD Trojan Program.
     
     SUMMARY:  A trojan program called AOLGOLD.ZIP that deletes c: 
     drive files when executed is being distributed around America Online 
     and other networks.
     
     BACKGROUND: The AOLGOLD Trojan program was recently discovered on 
     America Online (AOL).  Notice about the Trojan has been circulated 
     to all America Online subscribers.  An e-mail message that contained
     an attached archive file named AOLGOLD.ZIP was circulated on AOL.
     A README file that is in the archive describes the fictitious AOLGOLD 
     as a new and improved interface for the AOL online service.  Reading
     or downloading the included file will not damage your system, the
     trojaned program must be executed for damage to occur.
     
     If you unzip the archive, you get two files: INSTALL.EXE and 
     README.TXT.  The README.TXT file again describes AOLGOLD as a new 
     and improved interface to the AOL online service.  The INSTALL.EXE 
     program is a self-extracting ZIP archive.  When you run the install 
     program, it extracts 18 files onto your hard drive:
     MACROS.DRV
     VIDEO.DRV
     INSTALL.BAT
     ADRIVE.RPT
     SUSPEND.DRV
     ANNOY.COM
     MACRO.COM
     SP-NET.COM
     SP-WIN.COM
     MEMBRINF.COM
     DEVICE.COM
     TEXTMAP.COM
     HOST.COM
     REP.COM
     EMS2EXT.SYS
     EMS.COM
     EMS.SYS
     README.TXT
     
     The file list includes another README.TXT file.  If you examine the 
     new README.TXT file, it starts out with "Ever wanted the Powers of 
     a Guide" and continues with some crude language.  The README.TXT 
     file indicates that the included program is a guide program that 
     can be used to kick other people off of AOL.  If you stop at this 
     point and do nothing but examine the unzipped files with the TYPE 
     command, your machine will not be damaged.  The following three 
     files contain the Trojan program: 
     MACROS.DRV
     VIDEO.DRV
     INSTALL.BAT
     
     The rest of the files included in the archive appear to have been 
     chosen at random and included to simply fill up the archive and 
     make it look official.  The Trojan program is started by running 
     the INSTALL.BAT file.  The INSTALL.BAT file is a simple batch 
     file that renames the VIDEO.DRV file to VIRUS.BAT and then runs 
     it.  VIDEO.DRV is an amateurish DOS batch file that starts 
     deleting the contents of several critical directories on your C: 
     drive, including:
     c:\
     c:\dos
     c:\windows
     c:\windows\system
     c:\qemm
     c:\stacker
     c:\norton
     
     It also deletes the contents of several other directories, including 
     those for several online services and games, such as:
     c:\aol20
     c:\prodigy
     c:\aol25
     c:\mmp169
     c:\cserve
     c:\doom
     c:\wolf3d
     
     When the batch file completes, it prints a crude message on the 
     screen and attempts to run a program named DoomDay.EXE.  Bugs in the 
     batch file prevent the DOOMDAY.EXE program from running.  Other bugs 
     in the file cause it to delete itself if it is run from any drive but 
     the C: drive.
     
     IMPACT: When the INSTALL.EXE program is executed, files on the
     users c: drive are deleted.
     
     RECOMMENDED SOLUTIONS: NOTE: Do not copy any files onto your hard 
     disk before trying to recover your hard drive.  The files are deleted 
     with the DOS del command, and can be recovered with the DOS undelete 
     command.  The files are still on your disk, only the directory 
     entries have been removed.  If you copy any new files onto your hard 
     disk, they will likely be written over the deleted files, making it
     impossible to recover the deleted files.
     
     If you have delete protection installed on your system, recovery will 
     be relatively easy.  If not, the DOS undelete command can be used, 
     but you will have to supply the first letter of each file name as it 
     is recovered.  In many cases, you will probably want to restore the 
     directories by reinstalling them from the original installation disks, 
     but do that last.  You must recover any unreplaceable files first 
     using undelete and then replace any others by copying or reinstalling 
     them from the distribution disks.
     
     To recover the system:
     (1) Boot the system with a clean, locked floppy containing the 
     recovery program for the recovery files you have installed, or the 
     DOS UNDELETE.EXE program if you do not have recovery files installed.
     
     (2) Type the VIRUS.BAT file to get a list of the directories the 
     Trojan tried to delete.  Ignore any directories that don't exist on 
     your
     machine.
     
     (3) Run the recovery program and recover your files. You may have to 
     help it find the recovery files, such as MIRROR, which will be in the 
     root directory.  You may have to recover the MIRROR file first and 
     then use it to recover the other files.
     
     If you are using only the DOS undelete command, type:
     
        undelete directory
     
     where directory is the name of the directory to examine. To undelete 
     the files in the dos directory, use:
     
        undelete c:\dos
     
     The undelete program will present you with a list of deleted files 
     with the first letter replaced with a question mark.  Without delete 
     protection, you will have to supply this letter in order to undelete 
     the file.
     
     (4) After you have restored as many files as you want or can using 
     the UNDELETE command, replace any others by reinstalling them using 
     the original installation disks.
     
     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     
     ASSIST would like to thank the Department of Energy CIAC for 
     information contained in this bulletin.
     
     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     
     ASSIST is an element of the Defense Information Systems Agency 
     (DISA), and provides service to the entire DoD community. 
     Constituents of the DoD with questions about ASSIST or computer 
     security issues, can contact ASSIST using one of the methods listed 
     below.  Non-DoD organizations/institutions, contact the Forum of 
     Incident Response and Security Teams (FIRST) representative.  To 
     obtain a list of FIRST member organizations and their constituencies 
     send an email to [email protected] with an empty "subject" line 
     and a message body containing the line "send first-contacts".
     
     ASSIST Information Resources: To be included in the distribution
     list for the ASSIST bulletins, send your Milnet (Internet) e-mail
     address to [email protected].  Back issues of ASSIST 
     bulletins, and other security related information, are available
     from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous 
     FTP from assist.mil (IP address 199.211.123.11).  Note: assist.mil 
     will only accept anonymous FTP connections from Milnet addresses 
     that are registered with the NIC or DNS.  If your system is not 
     registered, you must provide your MILNET IP address to ASSIST before 
     access can be provided.
      
     ASSIST Contact Information:
     PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700.
     ELECTRONIC MAIL: [email protected].
     ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for
     the "sysop".  
     FAX: COMM 703-607-4735, DSN 607-4735
     
     ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital 
     signature mechanism for bulletins.   PGP 2.6.2 incorporates the 
     RSAREF(tm) Cryptographic Toolkit under license from RSA Data 
     Security, Inc.  A copy of that license is available via anonymous 
     FTP from net-dist.mit.edu (IP 18.72.0.3) in the file 
     /pub/PGP/rsalicen.txt, and through the world wide web from
     http://net-dist.mit.edu/pgp.html.  In accordance with the terms 
     of that license,  PGP 2.6.2 may be used for non-commercial 
     purposes only.  Instructions for downloading the PGP 2.6.2 
     software can also be obtained from net-dist.mit.edu in the 
     pub/PGP/README file.  PGP 2.6.2 and RSAREF may be subject to the 
     export control laws of the United States of America as 
     implemented by the United States Department of State Office of 
     Defense Trade Controls.  The PGP signature information will be 
     attached to the end of ASSIST bulletins.
       
     Reference herein to any specific commercial product, process, or
     service by trade name, trademark manufacturer, or otherwise, does
     not constitute or imply its endorsement, recommendation, or
     favoring by ASSIST.  The views and opinions of authors expressed
     herein shall not be used for advertising or product endorsement
     purposes. 
     
     - -----BEGIN PGP PUBLIC KEY BLOCK-----
     Version: 2.6
     
     mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
     W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
     FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
     tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQMJVF1JtBJ/Qs
     yeedAQFnqgQAp1rw7ONT41Mr3gHGs2aVpEwgOH6SeJ9sHZxUp4dJu+ogRMFrqdC+
     +NBfzitzj9m1udFVDHpwsGawbv6wg43DDAKaTgIETCHYXa/OM5/9FCS3xJwC99Gb
     V1iOm8S/Q9FcJruKID9DG2WUJp2yPj+CjTuBQeLjGkqGjuSOR1TNXQiJAJUDBRAw
     lUPuYKf6jFkmJQkBAWg5A/9ykgo2ULWUsSzZjRkO9yPZUPAlpfH7ReaHwkapK69F
     fBzqwwQ8Gig1mL+qgmOHS8Zv+OAT491sWWsECN+dfpopFdsgS4Sec19ZjcMyhL1c
     BVIS9Cmbjetb6Kvfc39AMr0MRCrUlOkUd4qScjHysHFYRAwCl3STRjprNnUPKQbn
     f4kAlQMFEDB482bk8movIjSrbQEB/VgD/iap/CAb1jq8wMA3QleU8d6/QUqoPzgp
     jRhP0wP7K2GLVUV0d5sP4EptmzejqViZvlzt6ufnI1bML0Yt2U5loAeblnh714RX
     JcOmyAah6niiJSKuhCsYUzW6f3EBzXBn5tcu3GP35h+1VQunCQCMICCfnZ0r8Wcv
     EdwE9LxPYdueiQCVAwUQMHOjMwJPhGsUbeKNAQGOagQAgT5p6CwrIPpi+12yJ170
     ekc3MPp8z0aNbvdCQWXTK6qtq1LmS65VeH0RE5xRponsgbWp+5JBvD22v0eGuSg7
     7bnHT1HPXazPERAp8sw1zTERs7drMQE+JhHYylh3orKzHNf5EjFx10vwEXdfvGSc
     sP3Vpcx2xu0lUYHp5oHtPFiJAJUDBRAwar4DFKHh5Qavqe0BAeQqA/4xd0tdq9yF
     eUYrd1+ZriayzfSjCcIUlCDH1i7vXw1kiHkg2YpOoZLD9k+zNkbOyBs/r570fGHu
     A23SvUcUfaBUijT1jf9YGU5MQMdpx3p5qqI4kJ0GWUNySZNtaFy0qWNH8Z8NsNp3
     FWllVeisye0qe96aoizW0dAyUymlM6YYn4kAlQMFEDBqqvga2zTcAviMgQEBN8wE
     AIu7O/Of4c1OvMc5tti4+gcyCVw41+fLjxQFB5EtkoW8Js6XhCsv3GcmzgCZw3g8
     Sux7wxGe+lspZNV9rvv+JkDBWkA9O5HyOdmdv5JZM1UH41NettZM9Yw7kUtO7lAT
     aOb4ybHlqrBwJ8/+Lig7r7PwTL847JyGa3g229pGG/uEiQCVAwUQMGpTK+glSuMP
     TJd1AQE8KQP8Cu+FYuagNoBRllMIQryT9+0ngLRxJJTcTgIbLX4OPwa27JuXCukG
     kUIXRWFCqkRqkM/7ImZXeuUL4PmAX07f9ygGH7BUyqefhIWkxWFDaGHJVlg3l/pS
     Wh7NnC+nU6DUJNSzfwYStCABNptOcMiYaT1fY0+DkWpIgJVRTptquOWJAJUCBRAw
     aHX+IlGW2WZtAFEBATkXA/40QTxVP/x3aJDgC11cvFhwT7M+qJvhGSTRJOtrFz8i
     soZzihMeaQ8zLiu73dDlFz2E4f0+ettxsDcgFJADNmZ5H7WkPlf9gBUBne4KP2Y6
     yIjOCMwd6T7HGm/ErF88DIJ2wn8irhzVRnBBWhnmQfSzr5a7mkjlA6GzAlFucGp3
     eokAlQMFEDBpzIC58yc3bMt0GQEBgd4EAI0mE/5wXSWuBNApkALLjPAchBdeC4Kl
     YF4hQkfY/4YddeIasgTmINKOc5gJWgTHxPI2xKxjTAQhIZlOxuDyXWnBuK+x2hr4
     iCh5unEIH+qaqdipGwWjFq0IZEmOOJaBRxlVt2hrmY6nRMpekitFLw8dhWHgI968
     WVhJpWfBg+MhiQCVAwUQMGnMcmJl+kgHVnRVAQF+nQP/XK4xmIx1SmjoN9D+vNRY
     PSiKz8KEzh1Y2/5QTYA7iES8QXC4i/8HOWK7lyoL6FmWGxKYpU8isQ+DJpk0A4N0
     U04JexpyFa0EeM/wsfp0YvAWesSVhV5UkDQU6hSC0U8rS1j/qtnSLZ4wXpapPSBh
     82daDlxAQCVMzDoQYQZkMi+JAJUDBRAwacftBCZ9eY4KSdEBAbKGA/0VHArALL6v
     d0a0x7sn4o60Bk2fFzuaCBNTNzb11OOtuu47KMOZLwrl2jv+32ysIVEOXx+puhXP
     nQAgRrH0LGKV5FOY3B98AHuV+woOmfVjM2T3xB4Bs52Dz+HIIIhaWzzy3955tlp/
     6UyvZnD0QFLS/bre/Pog1Lgl0pxonmILhYkAlQIFEDBpJpXAx/wW8A8EIQEBPVoD
     /jwgG+7ZrWrb8/dqe6IZhSk8rq0JIHhSA2Hz1T7PhRvyDiquBJ3ulTeaX3BvuWqF
     bMuLJ4CTqXw9dexDehEnhGlxYycSXVzy8a34pLnmldii8oNvI1bLWMgd4HdM/PPZ
     GOgHmSIGrXMChkbddt9AoszDI0Whlbe9+wn6AeZVrJVaiQCVAgUQMGkkL2yh0IcG
     ee2RAQHrTgQAvBRce0S9yBvI/ufC/1jhE3LuUoA3YDdA8+UQ+UekaslZzOEgPs4K
     Za/nM9Y2vaRYscyzyIg8FGTzCdJQ2be9HZjSkB2xQuakeq88tlV32/cLcQSC8Zrw
     xsnPWujbIcWYg7B0hv8cCovef/w4kC9GyhjhIzPIsQ/Cr7/TYzheK12JAJUDBRAw
     Z/38o2xF3nu86kkBARanA/0XO4HBo6pT2xNCdQ7AW9UrvmTCiYUb0XVY7qCnkaPp
     Sn1KjsK2nGueDMGUBzvx9zWZ0xHAS+BSNkoM61gb9455KcbDwRqw6+47O/WuX1w9
     fh7egjTY0kqN6YsP/vtirOuP+Krh19w/s6cDxbEBNbJIiZofRDFRRsZcZ8E2mLCP
     UIkAlQMFEDBn/EY7f8e8znZrHwEBxQwD/jP+CiwO3Nk45M5Ei++TZzdp7ak82hum
     XxVXplV2G4w8DN86pfl3IV/XvU67FQXg4NKJr+wm3JknDtlKZTE5g+aKkOYK6Fqt
     w3FjTd6PTDz11YRruCsdvBeYwMcHPe5XzIhgkwkMXX2Mp99q9LGKfV3087do2LNr
     V/2S/atn6IuqiQCVAwUQMGW6OliXq3zaXLJBAQFLwgP/bQ1C/Ph54RlRqw9rovJo
     SXp5wvQAfVqqnkL5nIIIK2uGputcmhMP8RqYKuRv4xaezkCDTeIE/P0327Ajc4//
     ca4SZCojxfqtrhw3EkfZtvFLJh1tsvAkqZkgHmjJxwA+lY78lQ1ncBZ99dePpuHu
     MBQew3769SkEA8kk/s5XiYqJAJUDBRAvXHHu0fqxudbcij0BAQFjA/0W8glucqO0
     wtSPyCF3qGimFLHxZmd9Cw6Zlf8Ftfy8rPVrkGQGfioA29b64oZ1SUTwsswSbU8P
     n0KKFxvc6hYM5TzMg4gSu+vLh6pr4vMRdXyecF16z4BrUwIwZLP4rc5o/vyVDskI
     ahj1NdNYh6V8B0FUEbhVBxJBGfy2NF0bZ7QoQVNTSVNUIFRlYW0gPGFzc2lzdEBh
     c3Npc3QuaW1zLmRpc2EubWlsPokAlQIFEC45Ys3KbyuD/AwC1QEBKPED/2dwnN+/
     OE2iHhvGwv3jZtsm6cH+GVkpNpc0w0vQOKvVwUnLwuETSv+eryz9Fl7nL0U2tv/5
     V81dXqqc5C7EvOQW1Dt9RBSjEOundYrOzsfELIMrwh1iJXsIxG7g7iil0HeKzxsQ
     E/nBFwJbgP6SQaYF4wy7TPuXw+IVVddp0p1riQCVAgUQLi5x6IdGPdIwvm+pAQFN
     EwP+Ml0i+yurXH1ZvQApz+HKwqLrRTNsNdHu2CsQ/OdGo4Vq4eqyPTvrI1OVjm6o
     jye7GR3RMPygEcz0oox/+YfB5cmGugpZLFsWLspswrFGGCXLXY3Bq7mpH14GENU5
     JMlHzazeRvdDbkSv700Xu25JshjWIzfTY2nNUNfFlRefQoY=
     =8gi/
     - -----END PGP PUBLIC KEY BLOCK-----
     
     -----BEGIN PGP SIGNATURE-----
     Version: 2.6
     
     iQCVAwUBMMNldNH6sbnW3Io9AQEojQQAoRB5w3+MigtmYkosgh94ttXFwt77VJmC
     n8b5SVZgD4pmXss12ZLLvSsXC8/+4Kp4IyHKyvie/nu7mmEZN4RcDy2N3IGa6Rmk
     ydVqJ9BvCSxNUNwwdxOMPj/Cu5Pmv1ssoIDdXVXMn11n3Ti97HiElj3VJP7DlH8w
     ZNoFm4DydgM=
     =MKi5
     -----END PGP SIGNATURE-----