Please consider this for reposting to your friends.
_______________________________________________
>>
>> The U.S. Department of Energy
>> Computer Incident Advisory Capability
>> ___ __ __ _ ___
>> / | /_\ /
>> \___ __|__ / \ \___
>> __________________________________________________________
>>
>> INFORMATION BULLETIN
>>
>> AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
>>
>>April 16, 1997 18:00 GMT Number
>H-47
>>___________________________________________________________________________
>___
>>PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes all
>> files on a hard drive is circulating the Internet.
>>PLATFORM: DOS/Windows-based PCs
>>DAMAGE: When the AOL4FREE.COM program is executed, all files and
>> directories on the users C: drive are deleted.
>>SOLUTION: DO NOT execute this program. If the program starts executing,
>> quickly pressing Ctrl-C will save some of your files.
>>___________________________________________________________________________
>___
>>VULNERABILITY Users who download the trojaned AOL4FREE.COM program and
>>ASSESSMENT: executes it will destroy all the files and directories on
>their
>> DOS C: drive.
>>___________________________________________________________________________
>___
>>
>>NOTE: THIS IS DIFFERENT FROM THE AOL4FREE HOAX MESSAGE.
>>
>>CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard drives.
>>
>>CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, if run,
>>deletes all the files on a user's hard drive. If you are e-mailed this file,
>>or if you have downloaded it from an online service, do not attempt to run
>it.
>>If the program was received as an attachment to an e-mail message, do not
>>double click (open) it. Opening an attached program runs that program, which
>>in this case deletes all the files on your hard drive. The original
>>AOL4FREE.COM was a program for fraudulently creating free AOL (America
>Online)
>>accounts. Note that any attempt to use the original AOL4FREE.COM program may
>>subject you to prosecution.
>>
>>NOTE: Most antivirus programs will not detect this or other Trojan Horse
>> programs.
>>
>>Detection
>>=========
>>
>>AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long.
>>It masquerades as the AOL4FREE program that allows the fraudulent creation of
>>free AOL accounts. The following text is readable in the AOL4FREE.COM file
>>if you display it with the DOS TYPE command or the DOS EDIT program.
>>
>>Compiled by BAT2EXEC 1.5
>>PC Magazine . Douglas Boling
>>
>>Note that this text may appear in any program compiled with the BAT2EXEC
>>program and has nothing to do with the Trojan Horse.
>>
>>If you open the AOL4FREE.COM file with a disk editor or with the Windows
>>Notepad program, the following text is found at the end of the second sector
>>of the file.
>>
>>PATH
>>COMMANDC earc
>>/C C:
>>/C CD\
>>DELTREE /y *.*
>>ECHOOYOUR COMPUTER HAS JUST BEEN F***ED BY *VP* F*** YOU AOL-LAMER
>>
>>Where F*** is a common vulgar explicative.
>>
>>Recovery
>>========
>>
>>Pressing Ctrl-C before the Trojan Horse finishes deleting all your files will
>>save some of them. If the program runs to completion, all the files on
>>your root drive will have been deleted. The files are deleted with the
>>DOS DELTREE command, so the contents of the files are still on your hard
>>disk, only the directory entries have been deleted. Any program that can
>>recover deleted files will allow you to recover some or all of the files
>>on your hard disk.
>>
>>While attempting to recover files, be sure to not write any new files onto
>>the hard disk as the new files may overwrite the contents of a deleted file,
>>making it impossible to recover. You will probably have to boot your system
>>with a floppy and run any recovery programs from there.
>>
>>If you happen to have one of the delete tracking programs installed on your
>>system (a program that keeps track of deleted files in case you want them
>>back) the recovery operation will be relatively simple. Follow the directions
>>in your delete tracking program to recover your files. If not, you will
>>probably have to recover each file individually, supplying the first
>character
>>of the file name, which is overwritten in the directory when the file is
>>deleted. Most DOS/Windows disk tools programs also have the capability for
>>recovering deleted files so follow the directions included with those
>programs
>>to do so.
>>
>>Background
>>==========
>>
>>The original AOL4FREE.COM program was developed to fraudulently create free
>>AOL accounts. The creator of that program has pleaded guilty to defrauding
>>America Online for distributing that program. Anyone else attempting to use
>>that program to defraud AOL could also be prosecuted.
>>
>>An e-mail message was recently circulating about the Internet that warned of
>>an AOL4FREE virus, but that warning is either a hoax or a badly misunderstood
>>description of this Trojan Horse.
>>1. This program is a Trojan Horse, not a virus. It does not spread on its
>own.
>>2. A Trojan Horse must be run to do any damage.
>>3. Reading an e-mail message with the Trojan Horse program as an attachment
>> will not run the Trojan Horse and will not do any damage. Note that
>> opening an attached program from within an e-mail reader runs that
>> attached program, which may make it appear that reading the attachment
>> caused the damage. Users should keep in mind that any file with a .COM or
>> .EXE extension is a program, not a document and that double clicking or
>> opening that program will run it.
>>
>>CIAC still affirms that reading an e-mail message, even one with an attached
>>program, can not do damage to a system. The attachment must be both
>downloaded
>>onto the system and run to do any damage.
>>
>>CIAC, the Computer Incident Advisory Capability, is the computer
>>security incident response team for the U.S. Department of Energy
>>(DOE) and the emergency backup response team for the National
>>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>>National Laboratory in Livermore, California. CIAC is also a founding
>>member of FIRST, the Forum of Incident Response and Security Teams, a
>>global organization established to foster cooperation and coordination
>>among computer security teams worldwide.
>>
>>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>>can be contacted at:
>> Voice: +1 510-422-8193
>> FAX: +1 510-423-8002
>> STU-III: +1 510-423-2604
>> E-mail:
ciac@llnl.gov
>>
>>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>>duty person, and the secondary PIN number, 8550074 is for the CIAC
>>Project Leader.
>>
>>Previous CIAC notices, anti-virus software, and other information are
>>available from the CIAC Computer Security Archive.
>>
>> World Wide Web:
http://ciac.llnl.gov/
>> Anonymous FTP: ciac.llnl.gov (128.115.19.53)
>> Modem access: +1 (510) 423-4753 (28.8K baud)
>> +1 (510) 423-3331 (28.8K baud)
>>
>>CIAC has several self-subscribing mailing lists for electronic
>>publications:
>>1. CIAC-BULLETIN for Advisories, highest priority - time critical
>> information and Bulletins, important computer security information;
>>2. CIAC-NOTES for Notes, a collection of computer security articles;
>>3. SPI-ANNOUNCE for official news about Security Profile Inspector
>> (SPI) software updates, new features, distribution and
>> availability;
>>4. SPI-NOTES, for discussion of problems and solutions regarding the
>> use of SPI products.
>>
>>Our mailing lists are managed by a public domain software package
>>called Majordomo, which ignores E-mail header subject lines. To
>>subscribe (add yourself) to one of our mailing lists, send the
>>following request as the E-mail message body, substituting
>>ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
>>
>>E-mail to
ciac-listproc@llnl.gov or
majordomo@tholia.llnl.gov:
>> subscribe list-name
>> e.g., subscribe ciac-notes
>>
>>You will receive an acknowledgment email immediately with a confirmation
>>that you will need to mail back to the addresses above, as per the
>>instructions in the email. This is a partial protection to make sure
>>you are really the one who asked to be signed up for the list in question.
>>
>>If you include the word 'help' in the body of an email to the above address,
>>it will also send back an information file on how to subscribe/unsubscribe,
>>get past issues of CIAC bulletins via email, etc.
>>
>>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>>communities receive CIAC bulletins. If you are not part of these
>>communities, please contact your agency's response team to report
>>incidents. Your agency's team will coordinate with CIAC. The Forum of
>>Incident Response and Security Teams (FIRST) is a world-wide
>>organization. A list of FIRST member organizations and their
>>constituencies can be obtained via WWW at
http://www.first.org/.
>>
>>This document was prepared as an account of work sponsored by an
>>agency of the United States Government. Neither the United States
>>Government nor the University of California nor any of their
>>employees, makes any warranty, express or implied, or assumes any
>>legal liability or responsibility for the accuracy, completeness, or
>>usefulness of any information, apparatus, product, or process
>>disclosed, or represents that its use would not infringe privately
>>owned rights. Reference herein to any specific commercial products,
>>process, or service by trade name, trademark, manufacturer, or
>>otherwise, does not necessarily constitute or imply its endorsement,
>>recommendation or favoring by the United States Government or the
>>University of California. The views and opinions of authors expressed
>>herein do not necessarily state or reflect those of the United States
>>Government or the University of California, and shall not be used for
>>advertising or product endorsement purposes.
>>
>>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>>
>>H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
>>H-37: Solaris 2.x passwd buffer Overrun Vulnerability
>>H-38A: Internet Explorer 3.x Vulnerabilities
>>H-39: SGI IRIX fsdump Vulnerability
>>H-40: DIGITAL Security Vulnerabilities (DoP, delta-time)
>>H-41: Solaris 2.x eject Buffer Overrun Vulnerability
>>H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
>>H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
>>H-45: Windows NT SAM permission Vulnerability
>>H-46: Vulnerability in IMAP and POP
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: 4.0 Business Edition
>>
>>iQCVAwUBM1V5O7nzJzdsy3QZAQEdBAP/TtbGhSA3UuEScYZOcAmOmG426yP3ga7n
>>Y5FUo/8Z+am09tlchSzE5oGeNlBd2bDHFv9jnF3AtchzUPoRuLxBoSzPqh4OrYbo
>>ISNsPq4JzNNVjKVTfCW1UhvRAVtfzg/NmgdZNO038gaX1Zg9Uo1JpYuIUZw8e5XL
>>zRV+YdzlJcw=
>>=j2Ew
>>-----END PGP SIGNATURE-----
>>
>>
>Joe Carlson
carlson1@llnl.gov Key ID DA64D8D5
>PGP Pub Key fingerprint = CD 36 E3 99 CE FF B6 3D 01 E1 C4 95 70 59 62 3C
>
>
>
>
>