FW: Trojan Horse Alert

Timothy A. McDaniel tmcd at crl.com
Mon Apr 21 14:49:14 PDT 1997 

My apologies for replying to the widely cross-posted mail with more.

The U.S. Department of Energy Computer Incident Advisory Capability
(CIAC) has also issued an alert about the AOL4FREE.COM e-mail
attachment Trojan Horse.  Text upon request.

In the Symantec alert:
> That message [the previous AOL4FREE warning message] is still
> considered to be a hoax, as the process of opening an email cannot
> cause the events described to happen.

CIAC says:
> 3.  Reading an e-mail message with the Trojan Horse program as an
>     attachment will not run the Trojan Horse and will not do any
>     damage. Note that opening an attached program from within an
>     e-mail reader runs that attached program, which may make it
>     appear that reading the attachment caused the damage. Users
>     should keep in mind that any file with a .COM or .EXE extension
>     is a program, not a document and that double clicking or opening
>     that program will run it.
>
> CIAC still affirms that reading an e-mail message, even one with an
> attached program, can not do damage to a system. The attachment must
> be both downloaded onto the system and run to do any damage.

... which appears to say that, with some mail readers at least,
clicking on an attachment can cause it to run.  Do be aware of how you
mail reader works.  If it can run attached .COM or .EXE files, you
might want to look at disabling that feature, or at least knowing how
it works.

CIAC also says:
> Recovery
> ========
> 
> Pressing Ctrl-C before the Trojan Horse finishes deleting all your
> files will save some of them. If the program runs to completion, all
> the files on your root drive will have been deleted. The files are
> deleted with the DOS DELTREE command, so the contents of the files are
> still on your hard disk, only the directory entries have been
> deleted. Any program that can recover deleted files will allow you to
> recover some or all of the files on your hard disk.
> 
> While attempting to recover files, be sure to not write any new files
> onto the hard disk as the new files may overwrite the contents of a
> deleted file, making it impossible to recover. You will probably have
> to boot your system with a floppy and run any recovery programs from
> there.
> 
> If you happen to have one of the delete tracking programs installed on
> your system (a program that keeps track of deleted files in case you
> want them back) the recovery operation will be relatively
> simple. Follow the directions in your delete tracking program to
> recover your files. If not, you will probably have to recover each
> file individually, supplying the first character of the file name,
> which is overwritten in the directory when the file is deleted. Most
> DOS/Windows disk tools programs also have the capability for
> recovering deleted files so follow the directions included with those
> programs to do so.

-- 
Tim McDaniel; Reply-To: tmcd at crl.com

More information about the Ansteorra mailing list