Date: Fri, 19 Mar 1999 09:41:18 +0100 From: Aeon Labs To: packetstorm@genocide2600.com Subject: security/privacy news (Perhaps this might be of interest to Your readers.) ProMail v1.21, an advanced freeware mail program spread through several worldwide distribution networks (SimTel.net, Shareware.com and others), is a trojan. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. ALL of the personal user data, including the user's password in encrypted format, is sent to an account on NetAddress - a free email provider - as soon as a valid internet connection is detected. Apart from this "feature", the software is 100 % functional and very well done. Well, it seems that 1999 is the worst year for privacy... More detailed information can be found on our web site at http://cool.icestorm.net/aeon/news.html --------------------------------------------------------------------- Aeon Labs http://cool.icestorm.net/aeon [http://cool.icestorm.net/aeon/news.html] 03.99] ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan. It has been spread through several worldwide distribution networks (SimTel.net, Shareware.com and others) as proml121.zip. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. The executable, which appears to have been created with Borland Delphi, has been packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make disassembly harder. ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created, an "ini" file containing the users full name, passwords, email addresses, servers and more is generated. Prior to doing any other action, the program performs a check for a valid network connection which, if found, allows for the sending of ALL of the personal user data, including the user's password in encrypted format, to an account on NetAddress - a free email provider. Apart from this "feature", the software is 100 % functional and very well done. For further information or a more detailed analysis contact us. --------------------------------------------------------------------------------- Date: Sat, 20 Mar 1999 03:51:00 -0500 (EST) From: aeon@army.net To: packetstorm@genocide2600.com Subject: Re: your mail currently our members have disassembled and analyzed the whole executable. the only thing it appears to do as a trojan is to send the accounts data entered by the user: full name, organization, email address, user name, password (encrypted), smtp and pop3 servers, etc. and since promail supports multiple accounts, each newly created account is sent. the data for each account is contained in a text file which is used to initialize promail at run-time. the same text file is used as body of the email which is sent to the author (supposedly) of the program. it appears that all emails are sent with same subject line: "kirio". the program also creates the file promail.pml in its directory. it's a zero length file used as permanent flag to "remember" to the trojan that one or more accounts data could not be sent in the last session (for example, when accounts are created off-line, or when not followed by a mail check in the same session). we also managed to crack the mailbox to which accounts data is sent. about ~80 emails (== accounts) were found and another dozen was received after only ten minutes or so. accounts for microsoft, michigan us army, old bridge chemicals and a videogames company - amongst the others - were found. we have merely informed a _contact_ (not the ml) in ntbugtraq and several "underground" news/security sites. well you can contact the various *traq mailing lists if you want. we don't care if people still trust anything that can be downloaded from the net anyway. i guess we're not exactly "white hat" hackers :P if you need any help or further analysis on a specific part of the program please feel free to contact us. ------------------------------------------------------------------------ Aeon Labs http://cool.icestorm.net/aeon --------------------------------------------------------------------------------- Date: Sun, 21 Mar 1999 09:40:26 +0100 From: Patrick Oonk To: tattooman@ADRIC.GENOCIDE2600.COM Subject: [patrick@pine.nl: ProMail trojan proof] ----- Forwarded message from Patrick Oonk ----- Hi, I've tested the ProMail Trojan, it sends the info to naggamanteh@usa.net using the smtp server you supply when creating an account. I'll Cc: abuse@usa.net and bugs@shareware.com ProMail can still be downloaded at many sites, just check http://search.shareware.com/code/engine/File?archive=sim-win95&file=email%2fproml121%2ezip&size=409141 These are the queue files at my smtp server after I installed ProMail and created an account: $ more /var/spool/mqueue/qfPAA17183 V2 T921939650 K921939657 N1 P30435 I6/0/88205 M... reply: read error from office.pine.nl. Fb $rSMTP $sfoo $_foo.domain.com [10.0.0.1] S RPFD: H?P?Return-Path: HReceived: from foo (foo.domain.com [10.0.0.1]) by bar.domain.com (8.9.1/8.9.1) with SMTP id PAA17183 for ; Sat, 20 Mar 1999 15:20:50 +0100 (MET) H?D?Date: Sat, 20 Mar 1999 15:20:50 +0100 (MET) H?F?From: patrick@pine.nl H?M?Message-Id: <199903201420.PAA17183@bar.domain.com> HTo: naggamanteh@usa.net HSubject: kirio $ more /var/spool/mqueue/dfPAA17183 Name=New Account [From] EMail=patrick@pine.nl Name=Patrick Oonk Organization=Pine Internet B.V. [ReplyTo] EMail=patrick@pine.nl Name=Patrick Oonk [POP3] Server=pop.domain.com Port=110 User=patrick Password=1hFATUIxWOkJ3b3N3chBXZrFmZMUE PromptPassword=0 DoPOP=1 StandardDownload=0 [SMTP] Server=smtp.domain.com Port=25 DoSMTP=1 [Filter] Keep= Delete= -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : ----- End forwarded message ----- -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : : A signature starts with "-- ". : --------------------------------------------------------------------------------- Date: Mon, 22 Mar 1999 18:20:50 +0900 (JST) From: Aeon Labs To: packetstorm@genocide2600.com Subject: ProMAIL users So far we have collected hundreds of email *addresses* from naggamanteh@usa.net (only the headers were retrieved, we don't want their passwords/personal data/etc). With these addresses, users of ProMail could be warned about the problem with their passwords. If you can find people who are willing to do the work, we'll send you a list of the addresses we have collected. ----------------------------------------------------------------------------- Aeon Labs http://cool.icestorm.net/aeon --------------------------------------------------------------------------------- http://www.europe.datafellows.com/v-descs/promail.htm Data Fellows' Virus Information Pages: Promail Computer Virus Information Pages F-Secure Anti-Virus NAME: Promail ALIAS: Trojan.PWS.Promail, PWS.Promail SIZE: 583168 An application called Promail 1.21 is a trojan. This version was distributed on several shareware sites in March 1999. When Promail 1.21 is run, it tries to steal the current user's passwords and other information. Promail is supposed to be a free program to maintain several e-mail accounts belonging to a single user. Promail is written in Delphi and packed with Petite executable file compressor. The copyright belongs to SmartWare Inc. (most likely fake), and the About box states that the program is based on an open source code by Michael Haller. Mr. Haller has nothing to do with the trojan. He has developed a free program Phoenix Mail program earlier and has made the full source code of it available. Now some malicious person has taken the source code, modified it to include the password stealing routine and is distributing it as Promail. The Promail creates its own accounts (entries) for each e-mail account a user maintains. When a user creates new accounts in Promail he is instructed to enter the following information: User's e-mail address Real name Organization Reply-to e-mail adderss Reply-ty real name Then the user is supposed to enter information about his POP3 and SMTP accounts: POP3 user name POP3 password POP3 server name POP3 port (default: 110). SMTP server name SMTP port (default: 25). Account information is written to ACCOUNT.INI file that is located in a folder that Promail creates for each e-mail account a user maintains. The POP3 password is stored in an encrypted form (with weak crypto). When a user tries to get e-mail from any of maintained accounts the Promail first e-mails the contents of ACCOUNT.INI files to a free web-based e-mail service provider NetAddress (account: naggamanteh@usa.net). So the person who owns this account (and is supposed to be the author of Promail password stealing trojan), gets all information about users' e-mail accounts on different mail servers. The Promail also creates an empty file PROMAIL.PML which servers as a flag for the trojan that not all ACCOUNT.INI files have been sent to the author of the trojan. If you are using or were using Promail it is HIGHLY recommended that you changed all your passwords because your accounts could be used by trojan author or other hackers for illegal purposes or for spying after you. All viruses listed in the Virus description pages can be detected and removed with Data Fellows Anti-virus and Data Security software. --------------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 11:48:43 +0100 From: Patrick Oonk To: BUGTRAQ@netspace.org Subject: ProMail trojan still available at some sites Hi, Today (one week after the first warnings) I was still able to download the ProMail trojan horse from the following sites: ftp://sunsite.anu.edu.au/pub/pc/simtelnet/win95/email/proml121.zip ftp://ftp.sogang.ac.kr/pub/simtelnet/win95/email/proml121.zip ftp://ftp.nus.sg/pub/simtelnet/win95/email/proml121.zip The site owners have been warned. Patrick -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : : A signature starts with "-- ". :