|
PureBytes Links
Trading Reference Links
|
> Folks;
>
> This is a Real virus beware...
>
>
> Picture.exe really a Trojan horse E-mail attachment, if opened, tries
> to send private information to an e-mail address originating in China
>
> By Bob Sullivan
> MSNBC
>
> Jan. 6 ? Here?s a computer virus story that?s not an urban legend. If
> you receive an attachment in e-mail called ?picture.exe,? don?t open
> it. If you do, what happens next reads a bit like a spy novel ? this
> Trojan horse drops two more programs called note.exe and manager.exe
> which will search through your internet cache directory and, if you
> have one, the directory that holds your America Online username and
> password. It then encrypts that information, tries to establish an
> Internet connection, and sends it all to an e-mail address in China.
>
>
> Crawl into the Bugs BBS
> The Bug of the Day Archive
>
> PICTURE.EXE FIRST SURFACED right before Christmas, when some Net users
> were spammed with e-mail with the subject line ?batty.? Several
> postings to Usenet virus groups followed; then Network Associates
> engineeers received several e-mail alerts to what appeared to be
> technically not a virus but a Trojan horse. (A Trojan horse does not
> replicate on its own, but a virus does.)
> Network Associates has since updated its McAfee virus
> program to detect picture.exe (If you already have the software, an
> updated version can be downloaded from
> http://beta.nai.com/public/datafiles/3xupdates.htm ), but many
> questions remain about the prying program.
> ?This is a more interesting Trojan than normal,? said
> Vincent Gullotto, manager of the antivirus emergency response team for
> Network Associates. ?It actually has the capability to take
> information and send it someplace. This one goes further than most and
> if it?s successful can use the information against you.?
> Network Associates received an unusually large number of
> e-mails from victims of picture.exe, and there are already dozens of
> Usenet posts with security experts warning about the danger.
> Here?s how it works:
> Once a recipient opens picture.exe, that file expands
> into two other executables ? note.exe and manager.exe ? and places
> them into the Windows subdirectory. The following line is also added
> to the win.ini file: ?run=note.exe.? That makes note.exe run the next
> time Windows is started.
> According to Network Associates, note.exe then gathers
> information, apparently looking through the temporary Internet cache
> directory in an attempt to determine what Web sites users have
> visited. It then encrypts that information into a DAT file. It also
> appear to look in the directory where AOL user information is stored.
> Note.exe then builds a second DAT file.
> ?It?s unclear right now what the second DAT file is
> for,? Gulotto said.
> Usenet poster David Crick, a British computer science
> student who received the e-mail Dec. 23 and started the Usenet
> discussions, said, ?I thought when I started downloading a very large
> e-mail: ?Either someone?s sent me an interesting piece of software, or
> it?s a virus.? It turned out to be a combination of the two ? an
> interesting virus,? he said.
> Crick says the file employs a crude encryption
> technique, a 5-digit ASCII character shift ? where a=f, b=g, and so
> on. Other Usenet posters say the DAT file is full of e-mail addresses.
> After note.exe does its thing, manager.exe runs,
> attempting to e-mail the encrypted file to a e-mail addresses with the
> domain of a Chinese ISP. The recipient, of course, could be anywhere.
> ?It appears to try to gain access to an ISP,? Gulloto
> said. Several Usenet posts say that upon reboot, the Trojan horse
> opens up dial-up networking and tries to dial out of the infected PC.
> There are many unanswered questions ? chief among them,
> why China? Gulotto said last year his firm worked on a similar Trojan
> horse/virus with the same M/O. Called SemiSoft, it also gathers
> information and tries to send it to an e-mail address hosted in China.
> Network Associates is continuing to study picture.exe.
> America Online was not available for comment.
|