[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Picture.exe" :: old Horse



PureBytes Links

Trading Reference Links

the dreaded Picture.exe trojan.
It's real alright.

But nothing more than a renamed copy of the "Netbus"
trojan that's been in existence for at least a year now.

McAfee (NAI) has been whipping up a lot of press for
themselves (a new stock issue is due in the next week
or so) over trojans (like Picture.exe) that have been around
for a while now.

Don't get me wrong, I'm glad they're "discovering" them, but
it's a pity they can only detect but NOT remove them.
Can't wait until they "discover" Master's Paradise, which is
far nastier than Picture.exe.

Some software (just not McAfee) has the ability to detect AND
remove the these (and many other) trojans.  It costs about
$20.

dan chesler



-----Original Message-----
From: Lamont Cranston <mulligan@xxxxxxxx>
To: omega-list@xxxxxxxxxx <omega-list@xxxxxxxxxx>
Date: Tuesday, January 12, 1999 12:42 PM
Subject: Re: Trojan Horse on PCs


:>      Folks;
:>
:>      This is a Real virus beware...
:>
:>
:>      Picture.exe really a Trojan horse E-mail attachment, if opened,
tries
:>      to send private information to an e-mail address originating in
China
:>
:>      By Bob Sullivan
:>      MSNBC
:>
:>      Jan. 6 ? Here?s a computer virus story that?s not an urban legend.
If
:>      you receive an attachment in e-mail called ?picture.exe,? don?t open
:>      it. If you do, what happens next reads a bit like a spy novel ? this
:>      Trojan horse drops two more programs called note.exe and manager.exe
:>      which will search through your internet cache directory and, if you
:>      have one, the directory that holds your America Online username and
:>      password. It then encrypts that information, tries to establish an
:>      Internet connection, and sends it all to an e-mail address in China.
:>
:>
:>      Crawl into the Bugs BBS
:>      The Bug of the Day Archive
:>
:>      PICTURE.EXE FIRST SURFACED right before Christmas, when some Net
users
:>      were spammed with e-mail with the subject line ?batty.? Several
:>      postings to Usenet virus groups followed; then Network Associates
:>      engineeers received several e-mail alerts to what appeared to be
:>      technically not a virus but a Trojan horse. (A Trojan horse does not
:>      replicate on its own, but a virus does.)
:>      Network Associates has since updated its McAfee virus
:>      program to detect picture.exe (If you already have the software, an
:>      updated version can be downloaded from
:>      http://beta.nai.com/public/datafiles/3xupdates.htm ), but many
:>      questions remain about the prying program.
:>      ?This is a more interesting Trojan than normal,? said
:>      Vincent Gullotto, manager of the antivirus emergency response team
for
:>      Network Associates. ?It actually has the capability to take
:>      information and send it someplace. This one goes further than most
and
:>      if it?s successful can use the information against you.?
:>      Network Associates received an unusually large number of
:>      e-mails from victims of picture.exe, and there are already dozens of
:>      Usenet posts with security experts warning about the danger.
:>      Here?s how it works:
:>      Once a recipient opens picture.exe, that file expands
:>      into two other executables ? note.exe and manager.exe ? and places
:>      them into the Windows subdirectory. The following line is also added
:>      to the win.ini file: ?run=note.exe.? That makes note.exe run the
next
:>      time Windows is started.
:>      According to Network Associates, note.exe then gathers
:>      information, apparently looking through the temporary Internet cache
:>      directory in an attempt to determine what Web sites users have
:>      visited. It then encrypts that information into a DAT file. It also
:>      appear to look in the directory where AOL user information is
stored.
:>      Note.exe then builds a second DAT file.
:>      ?It?s unclear right now what the second DAT file is
:>      for,? Gulotto said.
:>      Usenet poster David Crick, a British computer science
:>      student who received the e-mail Dec. 23 and started the Usenet
:>      discussions, said, ?I thought when I started downloading a very
large
:>      e-mail: ?Either someone?s sent me an interesting piece of software,
or
:>      it?s a virus.? It turned out to be a combination of the two ? an
:>      interesting virus,? he said.
:>      Crick says the file employs a crude encryption
:>      technique, a 5-digit ASCII character shift ? where a=f, b=g, and so
:>      on. Other Usenet posters say the DAT file is full of e-mail
addresses.
:>      After note.exe does its thing, manager.exe runs,
:>      attempting to e-mail the encrypted file to a e-mail addresses with
the
:>      domain of a Chinese ISP. The recipient, of course, could be
anywhere.
:>      ?It appears to try to gain access to an ISP,? Gulloto
:>      said. Several Usenet posts say that upon reboot, the Trojan horse
:>      opens up dial-up networking and tries to dial out of the infected
PC.
:>      There are many unanswered questions ? chief among them,
:>      why China? Gulotto said last year his firm worked on a similar
Trojan
:>      horse/virus with the same M/O. Called SemiSoft, it also gathers
:>      information and tries to send it to an e-mail address hosted in
China.
:>      Network Associates is continuing to study picture.exe.
:>      America Online was not available for comment.
:
: