[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AOGOLD Trojan Program
FYI. Thanks.
... Kev
Kevin P. Knox, SSgt, USAF
Systems Administrator, IP Network Manager
Novell Certified NetWare Engineer
Royal Air Force Croughton, United Kingdom
Near Brackley, Northamptonshire
My PGP public key can be obtained via anonymous FTP from
nsc.croughton.af.mil (131.56.128.5)
From: [email protected]
Subject: ASSIST 95-46, AOLGOLD Trojan Program.
To: [email protected]
Date sent: Mon, 4 Dec 1995 16:06:54 -0500 (EST)
Copies to: [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Automated Systems Security Incident Support Team
_____
___ ___ _____ ___ _____ | /
/\ / \ / \ | / \ | | / Integritas
/ \ \___ \___ | \___ | | < et
/____\ \ \ | \ | | \ Celeritas
/ \ \___/ \___/ __|__ \___/ | |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Bulletin 95-46
Release date: 4 December, 1995, 4:00 PM EST (GMT -5)
SUBJECT: AOLGOLD Trojan Program.
SUMMARY: A trojan program called AOLGOLD.ZIP that deletes c:
drive files when executed is being distributed around America Online
and other networks.
BACKGROUND: The AOLGOLD Trojan program was recently discovered on
America Online (AOL). Notice about the Trojan has been circulated
to all America Online subscribers. An e-mail message that contained
an attached archive file named AOLGOLD.ZIP was circulated on AOL.
A README file that is in the archive describes the fictitious AOLGOLD
as a new and improved interface for the AOL online service. Reading
or downloading the included file will not damage your system, the
trojaned program must be executed for damage to occur.
If you unzip the archive, you get two files: INSTALL.EXE and
README.TXT. The README.TXT file again describes AOLGOLD as a new
and improved interface to the AOL online service. The INSTALL.EXE
program is a self-extracting ZIP archive. When you run the install
program, it extracts 18 files onto your hard drive:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
ADRIVE.RPT
SUSPEND.DRV
ANNOY.COM
MACRO.COM
SP-NET.COM
SP-WIN.COM
MEMBRINF.COM
DEVICE.COM
TEXTMAP.COM
HOST.COM
REP.COM
EMS2EXT.SYS
EMS.COM
EMS.SYS
README.TXT
The file list includes another README.TXT file. If you examine the
new README.TXT file, it starts out with "Ever wanted the Powers of
a Guide" and continues with some crude language. The README.TXT
file indicates that the included program is a guide program that
can be used to kick other people off of AOL. If you stop at this
point and do nothing but examine the unzipped files with the TYPE
command, your machine will not be damaged. The following three
files contain the Trojan program:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
The rest of the files included in the archive appear to have been
chosen at random and included to simply fill up the archive and
make it look official. The Trojan program is started by running
the INSTALL.BAT file. The INSTALL.BAT file is a simple batch
file that renames the VIDEO.DRV file to VIRUS.BAT and then runs
it. VIDEO.DRV is an amateurish DOS batch file that starts
deleting the contents of several critical directories on your C:
drive, including:
c:\
c:\dos
c:\windows
c:\windows\system
c:\qemm
c:\stacker
c:\norton
It also deletes the contents of several other directories, including
those for several online services and games, such as:
c:\aol20
c:\prodigy
c:\aol25
c:\mmp169
c:\cserve
c:\doom
c:\wolf3d
When the batch file completes, it prints a crude message on the
screen and attempts to run a program named DoomDay.EXE. Bugs in the
batch file prevent the DOOMDAY.EXE program from running. Other bugs
in the file cause it to delete itself if it is run from any drive but
the C: drive.
IMPACT: When the INSTALL.EXE program is executed, files on the
users c: drive are deleted.
RECOMMENDED SOLUTIONS: NOTE: Do not copy any files onto your hard
disk before trying to recover your hard drive. The files are deleted
with the DOS del command, and can be recovered with the DOS undelete
command. The files are still on your disk, only the directory
entries have been removed. If you copy any new files onto your hard
disk, they will likely be written over the deleted files, making it
impossible to recover the deleted files.
If you have delete protection installed on your system, recovery will
be relatively easy. If not, the DOS undelete command can be used,
but you will have to supply the first letter of each file name as it
is recovered. In many cases, you will probably want to restore the
directories by reinstalling them from the original installation disks,
but do that last. You must recover any unreplaceable files first
using undelete and then replace any others by copying or reinstalling
them from the distribution disks.
To recover the system:
(1) Boot the system with a clean, locked floppy containing the
recovery program for the recovery files you have installed, or the
DOS UNDELETE.EXE program if you do not have recovery files installed.
(2) Type the VIRUS.BAT file to get a list of the directories the
Trojan tried to delete. Ignore any directories that don't exist on
your
machine.
(3) Run the recovery program and recover your files. You may have to
help it find the recovery files, such as MIRROR, which will be in the
root directory. You may have to recover the MIRROR file first and
then use it to recover the other files.
If you are using only the DOS undelete command, type:
undelete directory
where directory is the name of the directory to examine. To undelete
the files in the dos directory, use:
undelete c:\dos
The undelete program will present you with a list of deleted files
with the first letter replaced with a question mark. Without delete
protection, you will have to supply this letter in order to undelete
the file.
(4) After you have restored as many files as you want or can using
the UNDELETE command, replace any others by reinstalling them using
the original installation disks.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ASSIST would like to thank the Department of Energy CIAC for
information contained in this bulletin.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ASSIST is an element of the Defense Information Systems Agency
(DISA), and provides service to the entire DoD community.
Constituents of the DoD with questions about ASSIST or computer
security issues, can contact ASSIST using one of the methods listed
below. Non-DoD organizations/institutions, contact the Forum of
Incident Response and Security Teams (FIRST) representative. To
obtain a list of FIRST member organizations and their constituencies
send an email to [email protected] with an empty "subject" line
and a message body containing the line "send first-contacts".
ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to [email protected]. Back issues of ASSIST
bulletins, and other security related information, are available
from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous
FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil
will only accept anonymous FTP connections from Milnet addresses
that are registered with the NIC or DNS. If your system is not
registered, you must provide your MILNET IP address to ASSIST before
access can be provided.
ASSIST Contact Information:
PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700.
ELECTRONIC MAIL: [email protected].
ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for
the "sysop".
FAX: COMM 703-607-4735, DSN 607-4735
ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital
signature mechanism for bulletins. PGP 2.6.2 incorporates the
RSAREF(tm) Cryptographic Toolkit under license from RSA Data
Security, Inc. A copy of that license is available via anonymous
FTP from net-dist.mit.edu (IP 18.72.0.3) in the file
/pub/PGP/rsalicen.txt, and through the world wide web from
http://net-dist.mit.edu/pgp.html. In accordance with the terms
of that license, PGP 2.6.2 may be used for non-commercial
purposes only. Instructions for downloading the PGP 2.6.2
software can also be obtained from net-dist.mit.edu in the
pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the
export control laws of the United States of America as
implemented by the United States Department of State Office of
Defense Trade Controls. The PGP signature information will be
attached to the end of ASSIST bulletins.
Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST. The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQMJVF1JtBJ/Qs
yeedAQFnqgQAp1rw7ONT41Mr3gHGs2aVpEwgOH6SeJ9sHZxUp4dJu+ogRMFrqdC+
+NBfzitzj9m1udFVDHpwsGawbv6wg43DDAKaTgIETCHYXa/OM5/9FCS3xJwC99Gb
V1iOm8S/Q9FcJruKID9DG2WUJp2yPj+CjTuBQeLjGkqGjuSOR1TNXQiJAJUDBRAw
lUPuYKf6jFkmJQkBAWg5A/9ykgo2ULWUsSzZjRkO9yPZUPAlpfH7ReaHwkapK69F
fBzqwwQ8Gig1mL+qgmOHS8Zv+OAT491sWWsECN+dfpopFdsgS4Sec19ZjcMyhL1c
BVIS9Cmbjetb6Kvfc39AMr0MRCrUlOkUd4qScjHysHFYRAwCl3STRjprNnUPKQbn
f4kAlQMFEDB482bk8movIjSrbQEB/VgD/iap/CAb1jq8wMA3QleU8d6/QUqoPzgp
jRhP0wP7K2GLVUV0d5sP4EptmzejqViZvlzt6ufnI1bML0Yt2U5loAeblnh714RX
JcOmyAah6niiJSKuhCsYUzW6f3EBzXBn5tcu3GP35h+1VQunCQCMICCfnZ0r8Wcv
EdwE9LxPYdueiQCVAwUQMHOjMwJPhGsUbeKNAQGOagQAgT5p6CwrIPpi+12yJ170
ekc3MPp8z0aNbvdCQWXTK6qtq1LmS65VeH0RE5xRponsgbWp+5JBvD22v0eGuSg7
7bnHT1HPXazPERAp8sw1zTERs7drMQE+JhHYylh3orKzHNf5EjFx10vwEXdfvGSc
sP3Vpcx2xu0lUYHp5oHtPFiJAJUDBRAwar4DFKHh5Qavqe0BAeQqA/4xd0tdq9yF
eUYrd1+ZriayzfSjCcIUlCDH1i7vXw1kiHkg2YpOoZLD9k+zNkbOyBs/r570fGHu
A23SvUcUfaBUijT1jf9YGU5MQMdpx3p5qqI4kJ0GWUNySZNtaFy0qWNH8Z8NsNp3
FWllVeisye0qe96aoizW0dAyUymlM6YYn4kAlQMFEDBqqvga2zTcAviMgQEBN8wE
AIu7O/Of4c1OvMc5tti4+gcyCVw41+fLjxQFB5EtkoW8Js6XhCsv3GcmzgCZw3g8
Sux7wxGe+lspZNV9rvv+JkDBWkA9O5HyOdmdv5JZM1UH41NettZM9Yw7kUtO7lAT
aOb4ybHlqrBwJ8/+Lig7r7PwTL847JyGa3g229pGG/uEiQCVAwUQMGpTK+glSuMP
TJd1AQE8KQP8Cu+FYuagNoBRllMIQryT9+0ngLRxJJTcTgIbLX4OPwa27JuXCukG
kUIXRWFCqkRqkM/7ImZXeuUL4PmAX07f9ygGH7BUyqefhIWkxWFDaGHJVlg3l/pS
Wh7NnC+nU6DUJNSzfwYStCABNptOcMiYaT1fY0+DkWpIgJVRTptquOWJAJUCBRAw
aHX+IlGW2WZtAFEBATkXA/40QTxVP/x3aJDgC11cvFhwT7M+qJvhGSTRJOtrFz8i
soZzihMeaQ8zLiu73dDlFz2E4f0+ettxsDcgFJADNmZ5H7WkPlf9gBUBne4KP2Y6
yIjOCMwd6T7HGm/ErF88DIJ2wn8irhzVRnBBWhnmQfSzr5a7mkjlA6GzAlFucGp3
eokAlQMFEDBpzIC58yc3bMt0GQEBgd4EAI0mE/5wXSWuBNApkALLjPAchBdeC4Kl
YF4hQkfY/4YddeIasgTmINKOc5gJWgTHxPI2xKxjTAQhIZlOxuDyXWnBuK+x2hr4
iCh5unEIH+qaqdipGwWjFq0IZEmOOJaBRxlVt2hrmY6nRMpekitFLw8dhWHgI968
WVhJpWfBg+MhiQCVAwUQMGnMcmJl+kgHVnRVAQF+nQP/XK4xmIx1SmjoN9D+vNRY
PSiKz8KEzh1Y2/5QTYA7iES8QXC4i/8HOWK7lyoL6FmWGxKYpU8isQ+DJpk0A4N0
U04JexpyFa0EeM/wsfp0YvAWesSVhV5UkDQU6hSC0U8rS1j/qtnSLZ4wXpapPSBh
82daDlxAQCVMzDoQYQZkMi+JAJUDBRAwacftBCZ9eY4KSdEBAbKGA/0VHArALL6v
d0a0x7sn4o60Bk2fFzuaCBNTNzb11OOtuu47KMOZLwrl2jv+32ysIVEOXx+puhXP
nQAgRrH0LGKV5FOY3B98AHuV+woOmfVjM2T3xB4Bs52Dz+HIIIhaWzzy3955tlp/
6UyvZnD0QFLS/bre/Pog1Lgl0pxonmILhYkAlQIFEDBpJpXAx/wW8A8EIQEBPVoD
/jwgG+7ZrWrb8/dqe6IZhSk8rq0JIHhSA2Hz1T7PhRvyDiquBJ3ulTeaX3BvuWqF
bMuLJ4CTqXw9dexDehEnhGlxYycSXVzy8a34pLnmldii8oNvI1bLWMgd4HdM/PPZ
GOgHmSIGrXMChkbddt9AoszDI0Whlbe9+wn6AeZVrJVaiQCVAgUQMGkkL2yh0IcG
ee2RAQHrTgQAvBRce0S9yBvI/ufC/1jhE3LuUoA3YDdA8+UQ+UekaslZzOEgPs4K
Za/nM9Y2vaRYscyzyIg8FGTzCdJQ2be9HZjSkB2xQuakeq88tlV32/cLcQSC8Zrw
xsnPWujbIcWYg7B0hv8cCovef/w4kC9GyhjhIzPIsQ/Cr7/TYzheK12JAJUDBRAw
Z/38o2xF3nu86kkBARanA/0XO4HBo6pT2xNCdQ7AW9UrvmTCiYUb0XVY7qCnkaPp
Sn1KjsK2nGueDMGUBzvx9zWZ0xHAS+BSNkoM61gb9455KcbDwRqw6+47O/WuX1w9
fh7egjTY0kqN6YsP/vtirOuP+Krh19w/s6cDxbEBNbJIiZofRDFRRsZcZ8E2mLCP
UIkAlQMFEDBn/EY7f8e8znZrHwEBxQwD/jP+CiwO3Nk45M5Ei++TZzdp7ak82hum
XxVXplV2G4w8DN86pfl3IV/XvU67FQXg4NKJr+wm3JknDtlKZTE5g+aKkOYK6Fqt
w3FjTd6PTDz11YRruCsdvBeYwMcHPe5XzIhgkwkMXX2Mp99q9LGKfV3087do2LNr
V/2S/atn6IuqiQCVAwUQMGW6OliXq3zaXLJBAQFLwgP/bQ1C/Ph54RlRqw9rovJo
SXp5wvQAfVqqnkL5nIIIK2uGputcmhMP8RqYKuRv4xaezkCDTeIE/P0327Ajc4//
ca4SZCojxfqtrhw3EkfZtvFLJh1tsvAkqZkgHmjJxwA+lY78lQ1ncBZ99dePpuHu
MBQew3769SkEA8kk/s5XiYqJAJUDBRAvXHHu0fqxudbcij0BAQFjA/0W8glucqO0
wtSPyCF3qGimFLHxZmd9Cw6Zlf8Ftfy8rPVrkGQGfioA29b64oZ1SUTwsswSbU8P
n0KKFxvc6hYM5TzMg4gSu+vLh6pr4vMRdXyecF16z4BrUwIwZLP4rc5o/vyVDskI
ahj1NdNYh6V8B0FUEbhVBxJBGfy2NF0bZ7QoQVNTSVNUIFRlYW0gPGFzc2lzdEBh
c3Npc3QuaW1zLmRpc2EubWlsPokAlQIFEC45Ys3KbyuD/AwC1QEBKPED/2dwnN+/
OE2iHhvGwv3jZtsm6cH+GVkpNpc0w0vQOKvVwUnLwuETSv+eryz9Fl7nL0U2tv/5
V81dXqqc5C7EvOQW1Dt9RBSjEOundYrOzsfELIMrwh1iJXsIxG7g7iil0HeKzxsQ
E/nBFwJbgP6SQaYF4wy7TPuXw+IVVddp0p1riQCVAgUQLi5x6IdGPdIwvm+pAQFN
EwP+Ml0i+yurXH1ZvQApz+HKwqLrRTNsNdHu2CsQ/OdGo4Vq4eqyPTvrI1OVjm6o
jye7GR3RMPygEcz0oox/+YfB5cmGugpZLFsWLspswrFGGCXLXY3Bq7mpH14GENU5
JMlHzazeRvdDbkSv700Xu25JshjWIzfTY2nNUNfFlRefQoY=
=8gi/
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBMMNldNH6sbnW3Io9AQEojQQAoRB5w3+MigtmYkosgh94ttXFwt77VJmC
n8b5SVZgD4pmXss12ZLLvSsXC8/+4Kp4IyHKyvie/nu7mmEZN4RcDy2N3IGa6Rmk
ydVqJ9BvCSxNUNwwdxOMPj/Cu5Pmv1ssoIDdXVXMn11n3Ti97HiElj3VJP7DlH8w
ZNoFm4DydgM=
=MKi5
-----END PGP SIGNATURE-----