`Date: Fri, 19 Mar 1999 09:41:18 +0100
From: Aeon Labs <[email protected]>
To: [email protected]
Subject: security/privacy news
(Perhaps this might be of interest to Your readers.)
ProMail v1.21, an advanced freeware mail program spread through several
worldwide distribution networks (SimTel.net, Shareware.com and others),
is a trojan.
Upon discovering - through LAN sniffing - that the program would attempt
to connect to SMTP instead of POP3 when a regular mail check was performed,
we reverse-engineered the software.
ALL of the personal user data, including the user's password in encrypted
format, is sent to an account on NetAddress - a free email provider -
as soon as a valid internet connection is detected.
Apart from this "feature", the software is 100 % functional and very
well done.
Well, it seems that 1999 is the worst year for privacy...
More detailed information can be found on our web site at
http://cool.icestorm.net/aeon/news.html
---------------------------------------------------------------------
Aeon Labs
http://cool.icestorm.net/aeon
[http://cool.icestorm.net/aeon/news.html]
03.99]
ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan.
It has been spread through several worldwide distribution networks (SimTel.net,
Shareware.com and others) as proml121.zip.
Upon discovering - through LAN sniffing - that the program would attempt to
connect to SMTP instead of POP3 when a regular mail check was performed, we
reverse-engineered the software.
The executable, which appears to have been created with Borland Delphi, has been
packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make
disassembly harder.
ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created,
an "ini" file containing the users full name, passwords, email addresses,
servers and more is generated.
Prior to doing any other action, the program performs a check for a valid
network connection which, if found, allows for the sending of ALL of the
personal user data, including the user's password in encrypted format, to an
account on NetAddress - a free email provider.
Apart from this "feature", the software is 100 % functional and very well done.
For further information or a more detailed analysis contact us. <[email protected]>
---------------------------------------------------------------------------------
Date: Sat, 20 Mar 1999 03:51:00 -0500 (EST)
From: [email protected]
To: [email protected]
Subject: Re: your mail
currently our members have disassembled and analyzed the whole executable.
the only thing it appears to do as a trojan is to send the accounts data
entered by the user: full name, organization, email address, user name,
password (encrypted), smtp and pop3 servers, etc.
and since promail supports multiple accounts, each newly created account
is sent.
the data for each account is contained in a text file which is used to
initialize promail at run-time. the same text file is used as body of
the email which is sent to the author (supposedly) of the program.
it appears that all emails are sent with same subject line: "kirio".
the program also creates the file promail.pml in its directory. it's a
zero length file used as permanent flag to "remember" to the trojan that
one or more accounts data could not be sent in the last session (for
example, when accounts are created off-line, or when not followed by a
mail check in the same session).
we also managed to crack the mailbox to which accounts data is sent.
about ~80 emails (== accounts) were found and another dozen was
received after only ten minutes or so.
accounts for microsoft, michigan us army, old bridge chemicals and a
videogames company - amongst the others - were found.
we have merely informed a _contact_ (not the ml) in ntbugtraq and
several "underground" news/security sites.
well you can contact the various *traq mailing lists if you want. we
don't care if people still trust anything that can be downloaded from
the net anyway. i guess we're not exactly "white hat" hackers :P
if you need any help or further analysis on a specific part of the program
please feel free to contact us.
------------------------------------------------------------------------
Aeon Labs <[email protected]>
http://cool.icestorm.net/aeon
---------------------------------------------------------------------------------
Date: Sun, 21 Mar 1999 09:40:26 +0100
From: Patrick Oonk <[email protected]>
To: [email protected]
Subject: [[email protected]: ProMail trojan proof]
----- Forwarded message from Patrick Oonk <[email protected]> -----
Hi,
I've tested the ProMail Trojan, it sends the info
to [email protected] using the smtp server you
supply when creating an account.
I'll Cc: [email protected] and [email protected]
ProMail can still be downloaded at many sites,
just check
http://search.shareware.com/code/engine/File?archive=sim-win95&file=email%2fproml121%2ezip&size=409141
These are the queue files at my smtp server after
I installed ProMail and created an account:
$ more /var/spool/mqueue/qfPAA17183
V2
T921939650
K921939657
N1
P30435
I6/0/88205
M<[email protected]>... reply: read error from office.pine.nl.
Fb
$rSMTP
$sfoo
$_foo.domain.com [10.0.0.1]
S<[email protected]>
RPFD:<[email protected]>
H?P?Return-Path: <[email protected]>
HReceived: from foo (foo.domain.com [10.0.0.1])
by bar.domain.com (8.9.1/8.9.1) with SMTP id PAA17183
for <[email protected]>; Sat, 20 Mar 1999 15:20:50 +0100 (MET)
H?D?Date: Sat, 20 Mar 1999 15:20:50 +0100 (MET)
H?F?From: [email protected]
H?M?Message-Id: <[email protected]>
HTo: [email protected]
HSubject: kirio
$ more /var/spool/mqueue/dfPAA17183
Name=New Account
[From]
[email protected]
Name=Patrick Oonk
Organization=Pine Internet B.V.
[ReplyTo]
[email protected]
Name=Patrick Oonk
[POP3]
Server=pop.domain.com
Port=110
User=patrick
Password=1hFATUIxWOkJ3b3N3chBXZrFmZMUE
PromptPassword=0
DoPOP=1
StandardDownload=0
[SMTP]
Server=smtp.domain.com
Port=25
DoSMTP=1
[Filter]
Keep=
Delete=
--
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :
: Pine Internet B.V. Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :
----- End forwarded message -----
--
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :
: Pine Internet B.V. Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :
: A signature starts with "-- <enter>". :
---------------------------------------------------------------------------------
Date: Mon, 22 Mar 1999 18:20:50 +0900 (JST)
From: Aeon Labs <[email protected]>
To: [email protected]
Subject: ProMAIL users
So far we have collected hundreds of email *addresses*
from [email protected] (only the headers were
retrieved, we don't want their passwords/personal data/etc).
With these addresses, users of ProMail could be warned
about the problem with their passwords.
If you can find people who are willing to do the work,
we'll send you a list of the addresses we have collected.
-----------------------------------------------------------------------------
Aeon Labs <[email protected]>
http://cool.icestorm.net/aeon
---------------------------------------------------------------------------------
http://www.europe.datafellows.com/v-descs/promail.htm
Data Fellows' Virus Information Pages: Promail
Computer Virus Information Pages
F-Secure Anti-Virus
NAME: Promail
ALIAS: Trojan.PWS.Promail, PWS.Promail
SIZE: 583168 An application called Promail 1.21 is a trojan. This version was distributed on several shareware sites
in March 1999.
When Promail 1.21 is run, it tries to steal the current user's passwords and other information.
Promail is supposed to be a free program to maintain several e-mail accounts belonging to a single user. Promail is
written in Delphi and packed with Petite executable file compressor.
The copyright belongs to SmartWare Inc. (most likely fake), and the About box states that the program is based on an
open source code by Michael Haller. Mr. Haller has nothing to do with the trojan. He has developed a free program
Phoenix Mail program earlier and has made the full source code of it available. Now some malicious person has taken
the source code, modified it to include the password stealing routine and is distributing it as Promail.
The Promail creates its own accounts (entries) for each e-mail account a user maintains. When a user creates new
accounts in Promail he is instructed to enter the following information:
User's e-mail address
Real name
Organization
Reply-to e-mail adderss
Reply-ty real name
Then the user is supposed to enter information about his POP3 and SMTP accounts:
POP3 user name
POP3 password
POP3 server name
POP3 port (default: 110).
SMTP server name
SMTP port (default: 25).
Account information is written to ACCOUNT.INI file that is located in a folder that Promail creates for each e-mail
account a user maintains. The POP3 password is stored in an encrypted form (with weak crypto).
When a user tries to get e-mail from any of maintained accounts the Promail first e-mails the contents of ACCOUNT.INI
files to a free web-based e-mail service provider NetAddress (account: [email protected]). So the person who owns
this account (and is supposed to be the author of Promail password stealing trojan), gets all information about
users' e-mail accounts on different mail servers.
The Promail also creates an empty file PROMAIL.PML which servers as a flag for the trojan that not all ACCOUNT.INI
files have been sent to the author of the trojan.
If you are using or were using Promail it is HIGHLY recommended that you changed all your passwords because your
accounts could be used by trojan author or other hackers for illegal purposes or for spying after you.
All viruses listed in the Virus description pages can be detected and removed with Data Fellows Anti-virus and Data
Security software.
---------------------------------------------------------------------------------
Date: Fri, 26 Mar 1999 11:48:43 +0100
From: Patrick Oonk <[email protected]>
To: [email protected]
Subject: ProMail trojan still available at some sites
Hi,
Today (one week after the first warnings) I was still able to
download the ProMail trojan horse from the following sites:
ftp://sunsite.anu.edu.au/pub/pc/simtelnet/win95/email/proml121.zip
ftp://ftp.sogang.ac.kr/pub/simtelnet/win95/email/proml121.zip
ftp://ftp.nus.sg/pub/simtelnet/win95/email/proml121.zip
The site owners have been warned.
Patrick
--
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :
: Pine Internet B.V. Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :
: A signature starts with "-- <enter>". :
`