[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trojan Horse on PCs



PureBytes Links

Trading Reference Links

>      Folks;
> 
>      This is a Real virus beware...
> 
> 
>      Picture.exe really a Trojan horse E-mail attachment, if opened, tries
>      to send private information to an e-mail address originating in China
> 
>      By Bob Sullivan
>      MSNBC
> 
>      Jan. 6 ? Here?s a computer virus story that?s not an urban legend. If
>      you receive an attachment in e-mail called ?picture.exe,? don?t open
>      it. If you do, what happens next reads a bit like a spy novel ? this
>      Trojan horse drops two more programs called note.exe and manager.exe
>      which will search through your internet cache directory and, if you
>      have one, the directory that holds your America Online username and
>      password. It then encrypts that information, tries to establish an
>      Internet connection, and sends it all to an e-mail address in China.
> 
> 
>      Crawl into the Bugs BBS
>      The Bug of the Day Archive
> 
>      PICTURE.EXE FIRST SURFACED right before Christmas, when some Net users
>      were spammed with e-mail with the subject line ?batty.? Several
>      postings to Usenet virus groups followed; then Network Associates
>      engineeers received several e-mail alerts to what appeared to be
>      technically not a virus but a Trojan horse. (A Trojan horse does not
>      replicate on its own, but a virus does.)
>      Network Associates has since updated its McAfee virus
>      program to detect picture.exe (If you already have the software, an
>      updated version can be downloaded from
>      http://beta.nai.com/public/datafiles/3xupdates.htm ), but many
>      questions remain about the prying program.
>      ?This is a more interesting Trojan than normal,? said
>      Vincent Gullotto, manager of the antivirus emergency response team for
>      Network Associates. ?It actually has the capability to take
>      information and send it someplace. This one goes further than most and
>      if it?s successful can use the information against you.?
>      Network Associates received an unusually large number of
>      e-mails from victims of picture.exe, and there are already dozens of
>      Usenet posts with security experts warning about the danger.
>      Here?s how it works:
>      Once a recipient opens picture.exe, that file expands
>      into two other executables ? note.exe and manager.exe ? and places
>      them into the Windows subdirectory. The following line is also added
>      to the win.ini file: ?run=note.exe.? That makes note.exe run the next
>      time Windows is started.
>      According to Network Associates, note.exe then gathers
>      information, apparently looking through the temporary Internet cache
>      directory in an attempt to determine what Web sites users have
>      visited. It then encrypts that information into a DAT file. It also
>      appear to look in the directory where AOL user information is stored.
>      Note.exe then builds a second DAT file.
>      ?It?s unclear right now what the second DAT file is
>      for,? Gulotto said.
>      Usenet poster David Crick, a British computer science
>      student who received the e-mail Dec. 23 and started the Usenet
>      discussions, said, ?I thought when I started downloading a very large
>      e-mail: ?Either someone?s sent me an interesting piece of software, or
>      it?s a virus.? It turned out to be a combination of the two ? an
>      interesting virus,? he said.
>      Crick says the file employs a crude encryption
>      technique, a 5-digit ASCII character shift ? where a=f, b=g, and so
>      on. Other Usenet posters say the DAT file is full of e-mail addresses.
>      After note.exe does its thing, manager.exe runs,
>      attempting to e-mail the encrypted file to a e-mail addresses with the
>      domain of a Chinese ISP. The recipient, of course, could be anywhere.
>      ?It appears to try to gain access to an ISP,? Gulloto
>      said. Several Usenet posts say that upon reboot, the Trojan horse
>      opens up dial-up networking and tries to dial out of the infected PC.
>      There are many unanswered questions ? chief among them,
>      why China? Gulotto said last year his firm worked on a similar Trojan
>      horse/virus with the same M/O. Called SemiSoft, it also gathers
>      information and tries to send it to an e-mail address hosted in China.
>      Network Associates is continuing to study picture.exe.
>      America Online was not available for comment.