[16631] in APO-L
Virus: H-47a: AOL4FREE.COM Trojan Horse Program Destroys Hard
daemon@ATHENA.MIT.EDU (Derek J. Cashman)
Sun Apr 20 21:14:49 1997
Date: Sun, 20 Apr 1997 21:09:51 -0400
Reply-To: "Derek J. Cashman" <dcashman@CONCENTRIC.NET>
From: "Derek J. Cashman" <dcashman@CONCENTRIC.NET>
To: Multiple recipients of list APO-L <APO-L@VM.CC.PURDUE.EDU>
Sorry if this is a little off topic, but this is a REAL virus threat and =
is
NOT a hoax. There is an article on MSNBC's web page=20
(http://www.msnbc.com/news/69568.asp), as well as a bulletin=20
released on April 17, 1997, by the US Department of Energy's=20
Computer Incident Advisory Capability=20
(http://ciac.llnl.gov/ciac/bulletins/h-47a.shtml).
America Online users might want to pay particular attention to this.
Derek J. Cashman (dcashman@concentric.net)
Alumni; Alpha Beta Omega Chapter (odu)
Alpha Phi Omega
-------------------------------------------------------------------------=
---------------
PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes all =
files on a hard drive is circulating the Internet.=20
PLATFORM: DOS/Windows-based PCs
DAMAGE: When the AOL4FREE.COM program is executed, all files and =
directories on the users C: drive are deleted.
SOLUTION: DO NOT execute this program. If the program starts executing, =
quickly pressing Ctrl-C will save some of your files.
-------------------------------------------------------------------------=
---------------
VULNERABILITY Users who download the Trojan AOL4FREE.COM program and;
ASSESSMENT: executes it will destroy all the files and directories on =
their DOS C: drive.=20
-------------------------------------------------------------------------=
---------------
CIAC has obtained a Trojan copy of AOL4FREE.COM that destroys hard =
drives.
NOTE: This is different from the AOL4FREE Virus Warning hoax message.
CIAC has obtained a Trojan copy of the AOL4FREE.COM program that, if =
run, deletes all the files on a user's hard drive. If you are e-mailed =
this file, or if you have downloaded it from an online service, do not =
attempt to run it. If the program was received as an attachment to an =
e-mail message, do not double click (open) it. Opening an attached =
program runs that program, which in this case deletes all the files on =
your hard drive. The original AOL4FREE was a Macintosh program for =
fraudulently creating free AOL (America Online) accounts. Note that any =
attempt to use the original AOL4FREE program may subject you to =
prosecution.
NOTE: Most antiviral programs will not detect this or other Trojan Horse =
programs.
Detection
=3D=3D=3D=3D=3D=3D=3D
AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long. The =
following text is readable in the AOL4FREE.COM file=20
if you display it with the DOS TYPE command or the DOS EDIT program.
Compiled by BAT2EXEC 1.5
PC Magazine . Douglas Boling
Note that this text may appear in any program compiled with the BAT2EXEC =
program and has nothing to do with the Trojan Horse.
If you open the AOL4FREE.COM file with a disk editor or with the Windows =
Notepad program, the following text is found at the end of the second =
sector of the file.
PATH
COMMANDC earc
/C C:
/C CD\
DELTREE /y *.*
ECHOOYOUR COMPUTER HAS JUST BEEN F***ED BY *VP* F*** YOU AOL-LAMER
Where F*** is a common vulgar explicative.
Recovery
=3D=3D=3D=3D=3D=3D=3D
Pressing Ctrl-C before the Trojan Horse finishes deleting all your files =
will save some of them. If the program runs to completion, all the files =
on your root drive will have been deleted. The files are deleted with =
the DOS DELTREE command, so the contents of the files are still on your =
hard disk, only the directory entries have been deleted. Any program =
that can recover deleted files will allow you to recover some or all of =
the files on your hard disk.=20
While attempting to recover files, be sure to not write any new files =
onto the hard disk as the new files may overwrite the contents of a =
deleted file, making it impossible to recover. You will probably have to =
boot your system with a floppy and run any recovery programs from there. =
If you happen to have one of the delete tracking programs installed on =
your system (a program that keeps track of deleted files in case you =
want them back) the recovery operation will be relatively simple. Follow =
the directions in your delete tracking program to recover your files. If =
not, you will probably have to recover each file individually, supplying =
the first character of the file name, which is overwritten in the =
directory when the file is deleted. Most DOS/Windows disk tools programs =
also have the capability for=20
recovering deleted files so follow the directions included with those =
programs to do so.
Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D
The original AOL4FREE Macintosh program was developed to fraudulently =
create free AOL accounts. The creator of that program has pleaded guilty =
to defrauding America Online for distributing that program. Anyone else =
attempting to use that program to defraud AOL could also be prosecuted.
The AOL4FREE Virus Warning message has been circulating about the =
Internet and warns of an AOL4FREE virus infected e-mail message that =
infects and destroys a system when the message is read, but that warning =
is a hoax and not about this Trojan horse.
1. The AOL4FREE.COM program is a Trojan Horse, not a virus. It does not =
spread on its own.
2. A Trojan Horse must be run to do any damage.=20
3. Reading an e-mail message with the Trojan Horse program as an =
attachment will not run the Trojan Horse and will not do any damage. =
Note that opening an attached program from within an e-mail reader runs =
that=20
attached program, which may make it appear that reading the attachment =
caused the damage. Users should keep in mind that any file with a .COM =
or .EXE extension is a program, not a document and that double clicking =
or=20
opening that program will run it. Macintosh users have the additional =
problem that Macintosh programs do not have readable extensions, and so =
are more difficult to detect. Extra care should be taken to insure that =
you do not unintentionally execute an attached program.
CIAC still affirms that reading an e-mail message, even one with an =
attached program, can not do damage to a system. The attachment must be =
both downloaded onto the system and run to do any damage.
-------------------------------------------------------------------------=
---------------
For additional information or assistance, please contact CIAC:
Voice: +1 510-422-8193 (8:00 - 18:00 PST, 16:00 - 2:00 GMT)
Emergency (DOE, DOE Contractors, and NIH ONLY):
1-800-759-7243, 8550070 (primary),
8550074 (secondary)
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ftp://ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
-------------------------------------------------------------------------=
---------------
This document was prepared as an account of work sponsored by an agency =
of the United States Government. Neither the United States Government =
nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any legal =
liability or responsibility for the accuracy, completeness, or =
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, =
process, or service by trade name, trademark, manufacturer, or =
otherwise, does not necessarily constitute or imply its endorsement, =
recommendation or favoring by the United States Government or the =
University of California. The views and opinions of authors expressed =
herein do not necessarily state or reflect those of the United States =
Government or the University of California, and shall not be used for =
advertising or product endorsement purposes.
------------------------------------------------------------------------
UCRL-MI-119788
