From: Hugh Messenger <;hugh>;
Date: Mon, 20 Nov 1995 00:21:40 -0600 (CST)
Subject: ADMINISTRIVIA - AOL virus stuff
- -----BEGIN PGP SIGNED MESSAGE-----
Just to forestall any long winded discussion on the subject....
On the subject of the AOL virus, this one may not be a hoax. As of
yet, we here at Muppet Labs are taking this one seriously, in that
it *could* happen. Attached is an alert that came through more or
less secure channels (but could itself be a hoax).
Normally, as Tim pointed out, an email message can't hurt you. But if
you download and execute a MIME encoded file ... that's the same as
running a program off of a floppy as far as viruses go.
There has been an "email virus" hoax going around for ages, the "Good
Times" hoax. This appears to be different.
So .. if you have an AOL account, I advize you to read this.
- - -----BEGIN OF PGP DECRYPTED TEXT-----
>; Content-Type: text/plain; charset=us-ascii
>; The U.S. Department of Energy
>; Computer Incident Advisory Capability
>; ___ __ __ _ ___
>; / | /_\ /
>; \___ __|__ / \ \___
>; INFORMATION BULLETIN
>; AOLGOLD Trojan Program
>; November 16, 1995 1300 PST Number G-03
>; PROBLEM: A trojan program is being distributed around America
>; Online and other networks called AOLGOLD.ZIP.
>; PLATFORM: DOS-based PCs
>; DAMAGE: When the INSTALL.EXE program is executed, most files on the
>; users C: drive are deleted.
>; SOLUTION: See the description below
>; ASSESSMENT: Users who download the AOLGOLD.ZIP or INSTALL.EXE trojaned
>; programs, unpack, and execute them may destroy files on their
>; DOS C: drive.
>; Information on the AOLGOLD Trojan Program
>; AOLGOLD Trojan
>; The AOLGOLD Trojan program was recently discovered on America Online (AOL).
>; Notice about the Trojan has been circulated to all America Online
>; subscribers. Notice about the Trojan and a copy of the Trojan program were
>; supplied to CIAC by Doug Bigelow, who is on the staff of America Online.
>; Apparently, an e-mail message is being circulated that contains an attached
>; archive file named AOLGOLD.ZIP. A README file that is in the archive
>; describes it as a new and improved interface for the AOL online service.
>; Note that there is no such program as AOLGOLD. Also, simply reading an
>; e-mail message or even downloading an included file will not do damage to
>; your machine. You must execute (or run) the downloaded file to release
>; the Trojan and have it cause damage.
>; If you unzip the archive, you get two files: INSTALL.EXE and README.TXT.
>; The README.TXT file again describes AOLGOLD as a new and improved interface
>; to the AOL online service. The INSTALL.EXE program is a self-extracting ZIP
>; archive. When you run the install program, it extracts 18 files onto your
>; hard drive:
>; The file list includes another README.TXT file. If you examine the new
>; README.TXT file, it starts out with "Ever wanted the Powers of a Guide" and
>; continues with some crude language. The README.TXT file indicates that the
>; included program is a guide program that can be used to kick other people
>; off of AOL.
>; If you stop at this point and do nothing but examine the unzipped files
>; with the TYPE command, your machine will not be damaged. The following
>; three files contain the Trojan program:
>; The rest of the files included in the archive appear to have been grabbed
>; at random to simply fill up the archive and make it look official.
>; The Trojan program is started by running the INSTALL.BAT file. The
>; INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to
>; VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that
>; starts deleting the contents of several critical directories on your C:
>; drive, including:
>; It also deletes the contents of several other directories, including those
>; for several online services and games, such as:
>; When the batch file completes, it prints a crude message on the screen and
>; attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent
>; the DOOMDAY.EXE program from running. Other bugs in the file cause it to
>; delete itself if it is run from any drive but the C: drive. The programming
>; style and bugs in the batch file indicates that the Trojan writer appears
>; to have little programming experience.
>; **WARNING** Do not copy any files onto your hard disk before trying to
>; recover your hard drive.
>; The files are deleted with the DOS del command, and can be recovered with
>; the DOS undelete command. The files are still on your disk, only the
>; directory entries have been removed. If you copy any new files onto your
>; hard disk, they will likely be written over the deleted files, making it
>; impossible to recover the deleted files.
>; If you have delete protection installed on your system, recovery will be
>; relatively easy. If not, the DOS undelete command can be used, but you will
>; have to supply the first letter of each file name as it is recovered. In
>; many cases, you will probably want to restore the directories by
>; reinstalling them from the original installation disks, but do that last.
>; You must recover any unreplaceable files first using undelete and then
>; replace any others by copying or reinstalling them from the distribution
>; To recover the system:
>; 1. Boot the system with a clean, locked floppy containing the recovery
>; program for the recovery files you have installed, or the DOS UNDELETE.EXE
>; program if you do not have recovery files installed.
>; 2. Type the VIRUS.BAT file to get a list of the directories the Trojan
>; tried to delete. Ignore any directories that don't exist on your machine.
>; 3. Run the recovery program and recover your files. You may have to help it
>; find the recovery files, such as MIRROR, which will be in the root
>; directory. You may have to recover the MIRROR file first and then use it to
>; recover the other files.
>; If you are using only the DOS undelete command, type:
>; undelete directory
>; where directory is the name of the directory to examine. To undelete the
>; files in the dos directory, use:
>; undelete c:\dos
>; The undelete program will present you with a list of deleted files with the
>; first letter replaced with a question mark. Without delete protection, you
>; will have to supply this letter in order to undelete the file.
>; 4. After you have restored as many files as you want or can using the
>; UNDELETE command, replace any others by reinstalling them using the
>; original installation disks.
>; The Operations staff at America Online has released the following
>; bulletin to their users:
>; --BEGIN MESSAGE--
>; Dear Member:
>; As you know, we strive to keep you informed on various issues regarding
>; online safety.
>; We want to take this opportunity to remind you about potential computer
>; viruses and Trojan horses and how to protect your computer. First, a virus
>; is a program that is designed to spread and usually attaches itself to a
>; program with the goal of spreading to other computers. A Trojan horse is a
>; program that is intended to corrupt your computer but has to be activated
>; before it can be executed. For example, a Trojan horse can be distributed as
>; an attached file to an email but the file has to be downloaded and executed
>; before harm is done.
>; If you receive email from unknown senders with an attached file, it is a good
>; rule of thumb not to download the files. In addition, if you ever receive a
>; file in email you believe could cause problems, please forward it immediately
>; to TOSEMAIL1, and explain your concerns to our Terms of Service staff.
>; We have received recent inquiries regarding a Trojan horse that is sent as an
>; attached file in an email message entitled "AOLGOLD" and "Install.exe". It is
>; important to understand that no virus or Trojan horse can be passed along by
>; simply reading email. However, we strongly urge that if you receive email
>; with an attached file with this name not to download it.
>; Due to the private nature of electronic mail, we cannot scan files in email
>; for viruses as we do with files in public areas of the service.
>; We have never had an occurrence of a virus or Trojan horse being spread
>; through simply reading email. In order for one to spread to your computer,
>; you would have to proactively select the attached file and download it to
>; your hard drive. It is therefore advisable never to download attached files
>; from an unknown sender.
>; AOL incorporates virus protection throughout the service and scans all posted
>; software, text, and sound files in public areas. We also offer our members
>; the Virus Information Center on AOL where you'll find information about the
>; latest virus or Trojan horse, along with updates to all the popular
>; commercial, shareware, and freeware anti-virus tools. Keyword: VIRUS.
>; Thank you for taking an active role in maintaining a safe online environment.
>; AOL Operations Staff
>; --END MESSAGE--
>; CIAC wishes to thank the staff of America Online, especially Mr. Don Bigelow
>; their assistance in providing the information necessary to prepare this
>; CIAC, the Computer Incident Advisory Capability, is the computer security
>; incident response team for the U.S. Department of Energy. CIAC is located at
>; the Lawrence Livermore National Laboratory in Livermore, California. CIAC is
>; also a founding member of FIRST, the Forum of Incident Response and Security
>; Teams, a global organization established to foster cooperation and
>; coordination among computer security teams worldwide.
>; CIAC services are available to DOE and DOE contractors, and CIAC can be
>; contacted at:
>; Voice: 510-422-8193
>; FAX: 510-423-8002
>; STU-III: 510-423-2604
>; E-mail: ci~lnl.gov
>; For emergencies and off-hour assistance, DOE and DOE contractor sites may
>; contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC
>; voice number 510-422-8193 and leave a message, or call 800-759-7243
>; (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
>; primary PIN number, 8550070, is for the CIAC duty person, and the secondary
>; PIN number, 8550074 is for the CIAC Project Leader.
>; Previous CIAC notices, anti-virus software, and other information are
>; available from the CIAC Computer Security Archive.
>; World Wide Web: http://ciac.llnl.gov/
>; Anonymous FTP: ciac.llnl.gov (184.108.40.206)
>; Modem access: (510) 423-4753 (14.4K baud)
>; (510) 423-3331 (9600 baud)
>; CIAC has several self-subscribing mailing lists for electronic publications:
>; 1. CIAC-BULLETIN for Advisories, highest priority - time critical information
>; and Bulletins, important computer security information;
>; 2. CIAC-NOTES for Notes, a collection of computer security articles;
>; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
>; software updates, new features, distribution and availability;
>; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of
>; SPI products.
>; Our mailing lists are managed by a public domain software package called
>; ListProcessor, which ignores E-mail header subject lines. To subscribe (add
>; yourself) to one of our mailing lists, send the following request as the
>; E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
>; SPI-NOTES for list-name and valid information for LastName FirstName and
>; PhoneNumber when sending
>; E-mail to ciac-listpr~lnl.gov:
>; subscribe list-name LastName, FirstName PhoneNumber
>; e.g., subscribe ciac-notes OUHara, Scarlett W. 404-555-1212 x36
>; You will receive an acknowledgment containing address, initial PIN, and
>; information on how to change either of them, cancel your subscription, or
>; get help.
>; PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
>; receive CIAC bulletins. If you are not part of these communities, please
>; contact your agency's response team to report incidents. Your agency's team
>; will coordinate with CIAC. The Forum of Incident Response and Security Teams
>; (FIRST) is a world-wide organization. A list of FIRST member organizations and
>; their constituencies can be obtained by sending email to docserv~irst.org
>; with an empty subject line and a message body containing the line: send
>; This document was prepared as an account of work sponsored by an agency of the
>; United States Government. Neither the United States Government nor the
>; University of California nor any of their employees, makes any warranty,
>; express or implied, or assumes any legal liability or responsibility for the
>; accuracy, completeness, or usefulness of any information, apparatus, product,
>; or process disclosed, or represents that its use would not infringe privately
>; owned rights. Reference herein to any specific commercial products, process,
>; or service by trade name, trademark, manufacturer, or otherwise, does not
>; necessarily constitute or imply its endorsement, recommendation or favoring by
>; the United States Government or the University of California. The views and
>; opinions of authors expressed herein do not necessarily state or reflect those
>; of the United States Government or the University of California, and shall not
>; be used for advertising or product endorsement purposes.
>; LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>; (F-21) Protecting SUN OS Systems Against SATAN
>; (F-22) SATAN Password Disclosure
>; (F-23) Protecting IBM AIX Systems Against SATAN
>; (F-24) Protecting SGI IRIX Systems Against SATAN
>; (F-25) Cisco IOS Router Software Vulnerability
>; (F-26) OSF/DCE Security Hole
>; (F-27) Incorrect Permissions on /tmp
>; (F-28A) Vulnerability in SunOS 4.1.* Sendmail (-oR option)
>; (G-1) Telnetd Vulnerability
>; (G-2) SunOS 4.1.X Loadmodule Vulnerability
>; RECENT CIAC NOTES ISSUED IN FY1995 (Previous Notes available from CIAC)
>; Notes 07 - 3/29/95
>; A comprehensive review of SATAN
>; Notes 08 - 4/4/95
>; A Courtney update
>; Notes 09 - 4/24/95
>; More on the "Good Times" virus urban legend
>; Notes 10 - 6/16/95
>; Discusses the PKZ300B Trojan, Logdaemon/FreeBSD vulnerability
>; in S/Key, EBOLA Virus Hoax, and Caibua Virus
>; Notes 11 - 7/31/95
>; Features include a Virus Update, Hats Off to Administrators,
>; America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus
>; Notes 12 - 9/12/95
>; Features include discussions on securely configuring Public
>; Telnet Services, X Windows and announces the beta release of Merlin,
>; describes the Microsoft Word Macro Viruses, and examines allegations
>; of Inappropriate Data Collection in Win95
- - -----END OF PGP DECRYPTED TEXT-----
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
[Previous Message[Next Message]
[Start of Thread][End of Thread]