--=====================_817093996==_
Content-Type: text/plain; charset="us-ascii"
At 06:18 11/22/95 -0700, you wrote:
>Thanx for the post! I would love any info about a virus. I already have the
>one about "good times" if that's the one your talking about but I would
>appreciate you forwarding any others.
> Thanks in advance!,
> Greg Newell (GregDn@AOL.com)
>
>
Here is the info in the attached file.
Ron
--=====================_817093996==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="AOLVIRUS.TXT"
========
Newsgroups: comp.internet.net-happenings
Subject: MISC> AOLGOLD VIRUS/TROJAN ALERT
From: Gleason Sackman <sackman@plains.nodak.edu>
Date: 20 Nov 1995 09:20:54 -0600
*** From Net-Happenings Moderator ***
Date: Sun, 19 Nov 1995 08:31:00 MST
From: Arthur Galus <c6460101@idptv.idbsu.edu>
To: Multiple recipients of list NOVAE <NOVAE@IDBSU.IDBSU.EDU>
Subject: AOLGOLD VIRUS/TROJAN ALERT
From: Kathryn Amanda Cossi <kcossi@tenet.edu>
From: Robert Mathews-ICICX <mathews@gold.chem.hawaii.edu>
From: "Paul S. Mauvais" <mauvais@ocelot.llnl.gov>
Subject: G-03: AOLGOLD Trojan Alert Bulletin
----------------------------------------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of
Energy. CIAC is located at the Lawrence Livermore National
Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security
Teams, a global organization established to foster cooperation
and coordination among computer security teams worldwide.
---------------------------------------------------------------
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe
privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name,
trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring
by the United States Government or the University of California.
The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States
Government or the University of California, and shall not be used
for advertising or product endorsement purposes.
__________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________
INFORMATION BULLETIN
AOLGOLD Trojan Program
November 16, 1995 1300 PST Number G-0
_________________________
PROBLEM: A trojan program is being distributed around America
Online and other networks called AOLGOLD.ZIP.
PLATFORM: DOS-based PCs
DAMAGE: When the INSTALL.EXE program is executed, most files on the
users C: drive are deleted.
SOLUTION: See the description below
_________________________
VULNERABILITY
ASSESSMENT: Users who download the AOLGOLD.ZIP or INSTALL.EXE trojaned
programs, unpack, and execute them may destroy files on
their DOS C: drive.
_________________________
Information on the AOLGOLD Trojan Program
AOLGOLD Trojan
==============
The AOLGOLD Trojan program was recently discovered on America
Online (AOL). Notice about the Trojan has been circulated to all
America Online subscribers. Notice about the Trojan and a copy
of the Trojan program were supplied to CIAC by Doug Bigelow, who
is on the staff of America Online.
Apparently, an e-mail message is being circulated that contains
an attached archive file named AOLGOLD.ZIP. A README file that
is in the archive describes it as a new and improved interface
for the AOL online service. Note that there is no such program
as AOLGOLD. Also, simply reading an e-mail message or even
downloading an included file will not do damage to your machine.
You must execute (or run) the downloaded file to release the
Trojan and have it cause damage.
If you unzip the archive, you get two files: INSTALL.EXE and
README.TXT. The README.TXT file again describes AOLGOLD as a new
and improved interface to the AOL online service. The
INSTALL.EXE program is a self-extracting ZIP archive. When you
run the install program, it extracts 18 files onto your hard
drive:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
ADRIVE.RPT
SUSPEND.DRV
ANNOY.COM
MACRO.COM
SP-NET.COM
SP-WIN.COM
MEMBRINF.COM
DEVICE.COM
TEXTMAP.COM
HOST.COM
REP.COM
EMS2EXT.SYS
EMS.COM
EMS.SYS
README.TXT
The file list includes another README.TXT file. If you examine
the new README.TXT file, it starts out with "Ever wanted the
Powers of a Guide" and continues with some crude language. The
README.TXT file indicates that the included program is a guide
program that can be used to kick other people off of AOL.
If you stop at this point and do nothing but examine the unzipped
files with the TYPE command, your machine will not be damaged.
The following three files contain the Trojan program:
MACROS.DRV
VIDEO.DRV
INSTALL.BAT
The rest of the files included in the archive appear to have been
grabbed at random to simply fill up the archive and make it look
official.
The Trojan program is started by running the INSTALL.BAT file.
The INSTALL.BAT file is a simple batch file that renames the
VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an
amateurish DOS batch file that starts deleting the contents of
several critical directories on your C: drive, including:
c:\
c:\dos
c:\windows
c:\windows\system
c:\qemm
c:\stacker
c:\norton
It also deletes the contents of several other directories,
including those for several online services and games, such as:
c:\aol20
c:\prodigy
c:\aol25
c:\mmp169
c:\cserve
c:\doom
c:\wolf3d
When the batch file completes, it prints a crude message on the
screen and attempts to run a program named DoomDay.EXE. Bugs in
the batch file prevent the DOOMDAY.EXE program from running.
Other bugs in the file cause it to delete itself if it is run
from any drive but the C: drive. The programming style and bugs
in the batch file indicates that the Trojan writer appears to
have little programming experience.
RECOVERY:
---------
**WARNING** Do not copy any files onto your hard disk before
trying to recover your hard drive.
The files are deleted with the DOS del command, and can be
recovered with the DOS undelete command. The files are still on
your disk, only the directory entries have been removed. If you
copy any new files onto your hard disk, they will likely be
written over the deleted files, making it impossible to recover
the deleted files.
If you have delete protection installed on your system, recovery
will be relatively easy. If not, the DOS undelete command can be
used, but you will have to supply the first letter of each file
name as it is recovered. In many cases, you will probably want
to restore the directories by reinstalling them from the original
installation disks, but do that last. You must recover any
unreplaceable files first using undelete and then replace any
others by copying or reinstalling them from the distribution
disks.
To recover the system:
1. Boot the system with a clean, locked floppy containing the
recovery program for the recovery files you have installed, or
the DOS UNDELETE.EXE program if you do not have recovery files
installed.
2. Type the VIRUS.BAT file to get a list of the directories the
Trojan tried to delete. Ignore any directories that don't
exist on your machine.
3. Run the recovery program and recover your files. You may have
to help it find the recovery files, such as MIRROR, which will
be in the root directory. You may have to recover the MIRROR file
first and then use it to recover the other files.
If you are using only the DOS undelete command, type:
undelete directory
where directory is the name of the directory to examine. To
undelete the files in the dos directory, use:
undelete c:\dos
The undelete program will present you with a list of deleted
files with the first letter replaced with a question mark.
Without delete protection, you will have to supply this letter in
order to undelete the file.
4. After you have restored as many files as you want or can using
the UNDELETE command, replace any others by reinstalling them
using the original installation disks.
The Operations staff at America Online has released the following
bulletin to their users:
- --BEGIN MESSAGE--
Dear Member:
As you know, we strive to keep you informed on various issues
regarding online safety.
We want to take this opportunity to remind you about potential
computer viruses and Trojan horses and how to protect your
computer. First, a virus is a program that is designed to spread
and usually attaches itself to a program with the goal of
spreading to other computers. A Trojan horse is a program that
is intended to corrupt your computer but has to be activated
before it can be executed. For example, a Trojan horse can be
distributed as an attached file to an email but the file has to
be downloaded and executed before harm is done.
If you receive email from unknown senders with an attached file,
it is a good rule of thumb not to download the files. In
addition, if you ever receive a file in email you believe could
cause problems, please forward it immediately to TOSEMAIL1, and
explain your concerns to our Terms of Service staff.
We have received recent inquiries regarding a Trojan horse that
is sent as an attached file in an email message entitled
"AOLGOLD" and "Install.exe". It is important to understand that
no virus or Trojan horse can be passed along by simply reading
email. However, we strongly urge that if you receive email with
an attached file with this name not to download it.
Due to the private nature of electronic mail, we cannot scan
files in email for viruses as we do with files in public areas of
the service.
We have never had an occurrence of a virus or Trojan horse being
spread through simply reading email. In order for one to spread
to your computer, you would have to proactively select the
attached file and download it to your hard drive. It is
therefore advisable never to download attached files from an
unknown sender.
AOL incorporates virus protection throughout the service and
scans all posted software, text, and sound files in public areas.
We also offer our members the Virus Information Center on AOL
where you'll find information about the latest virus or Trojan
horse, along with updates to all the popular commercial,
shareware, and freeware anti-virus tools. Keyword: VIRUS.
Thank you for taking an active role in maintaining a safe online
environment.
Sincerely,
AOL Operations Staff
- --END MESSAGE--
_______________________
CIAC wishes to thank the staff of America Online, especially Mr. Don
Bigelow for their assistance in providing the information necessary to
prepare this bulletin.
_______________________
--=====================_817093996==_--
This PTG archive page provided courtesy of Moy Piano Service, LLC