****************************************************************************** Security Bulletin 9707 DISA Defense Communications System April 21, 1997 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9615.txt). They are also available on our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | The following important advisory was posted by the Department of | | Energy's Computer Incident Advisory Capability (CIAC) on their WWW | | page and is being relayed via the Defense Information Systems | | Agency's Security Coordination Center distribution system as a means | | of providing DISN subscribers with useful security information. | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CIAC INFORMATION BULLETIN H-47a: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives ---------------------------------------------------------------------------- PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes all files on a hard drive is circulating the Internet. PLATFORM: DOS/Windows-based PCs DAMAGE: When the AOL4FREE.COM program is executed, all files and directories on the users C: drive are deleted. SOLUTION: DO NOT execute this program. If the program starts executing, quickly pressing Ctrl-C will save some of your files. ---------------------------------------------------------------------------- VULNERABILITY Users who download the trojaned AOL4FREE.COM program and ASSESSMENT: executes it will destroy all the files and directories on their DOS C: drive. ---------------------------------------------------------------------------- CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard drives. NOTE: This is different from the AOL4FREE Virus Warning hoax message. CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, if run, deletes all the files on a user's hard drive. If you are e-mailed this file, or if you have downloaded it from an online service, do not attempt to run it. If the program was received as an attachment to an e-mail message, do not double click (open) it. Opening an attached program runs that program, which in this case deletes all the files on your hard drive. The original AOL4FREE was a Macintosh program for fraudulently creating free AOL (America Online) accounts. Note that any attempt to use the original AOL4FREE program may subject you to prosecution. NOTE: Most antivirus programs will not detect this or other Trojan Horse programs. Detection ========= AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long. The following text is readable in the AOL4FREE.COM file if you display it with the DOS TYPE command or the DOS EDIT program. Compiled by BAT2EXEC 1.5 PC Magazine . Douglas Boling Note that this text may appear in any program compiled with the BAT2EXEC program and has nothing to do with the Trojan Horse. If you open the AOL4FREE.COM file with a disk editor or with the Windows Notepad program, the following text is found at the end of the second sector of the file. PATH COMMANDC earc /C C: /C CD\ DELTREE /y *.* ECHOOYOUR COMPUTER HAS JUST BEEN F***ED BY *VP* F*** YOU AOL-LAMER Where F*** is a common vulgar explicative. Recovery ======== Pressing Ctrl-C before the Trojan Horse finishes deleting all your files will save some of them. If the program runs to completion, all the files on your root drive will have been deleted. The files are deleted with the DOS DELTREE command, so the contents of the files are still on your hard disk, only the directory entries have been deleted. Any program that can recover deleted files will allow you to recover some or all of the files on your hard disk. While attempting to recover files, be sure to not write any new files onto the hard disk as the new files may overwrite the contents of a deleted file, making it impossible to recover. You will probably have to boot your system with a floppy and run any recovery programs from there. If you happen to have one of the delete tracking programs installed on your system (a program that keeps track of deleted files in case you want them back) the recovery operation will be relatively simple. Follow the directions in your delete tracking program to recover your files. If not, you will probably have to recover each file individually, supplying the first character of the file name, which is overwritten in the directory when the file is deleted. Most DOS/Windows disk tools programs also have the capability for recovering deleted files so follow the directions included with those programs to do so. Background ========== The original AOL4FREE Macintosh program was developed to fraudulently create free AOL accounts. The creator of that program has pleaded guilty to defrauding America Online for distributing that program. Anyone else attempting to use that program to defraud AOL could also be prosecuted. The AOL4FREE Virus Warning message has been circulating about the Internet and warns of an AOL4FREE virus infected e-mail message that infects and destroys a system when the message is read, but that warning is a hoax and not about this Trojan horse. 1. The AOL4FREE.COM program is a Trojan Horse, not a virus. It does not spread on its own. 2. A Trojan Horse must be run to do any damage. 3. Reading an e-mail message with the Trojan Horse program as an attachment will not run the Trojan Horse and will not do any damage. Note that opening an attached program from within an e-mail reader runs that attached program, which may make it appear that reading the attachment caused the damage. Users should keep in mind that any file with a .COM or .EXE extension is a program, not a document and that double clicking or opening that program will run it. Macintosh users have the additional problem that Macintosh programs do not have readable extensions, and so are more difficult to detect. Extra care should be taken to insure that you do not unintentionally execute an attached program. CIAC still affirms that reading an e-mail message, even one with an attached program, can not do damage to a system. The attachment must be both downloaded onto the system and run to do any damage. ---------------------------------------------------------------------------- For additional information or assistance, please contact CIAC: Voice: +1 510-422-8193 (8:00 - 18:00 PST, 16:00 - 2:00 GMT) Emergency (DOE, DOE Contractors, and NIH ONLY): 1-800-759-7243, 8550070 (primary), 8550074 (secondary) FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) ---------------------------------------------------------------------------- This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. ---------------------------------------------------------------------------- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.