Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAeon LabsPACKETSTORM:12164
HistoryAug 17, 1999 - 12:00 a.m.

promail.1.21.trojan.txt

1999-08-1700:00:00
Aeon Labs
packetstormsecurity.com
37
JSON
`Date: Fri, 19 Mar 1999 09:41:18 +0100  
From: Aeon Labs <[email protected]>  
To: [email protected]  
Subject: security/privacy news  
  
(Perhaps this might be of interest to Your readers.)  
  
ProMail v1.21, an advanced freeware mail program spread through several  
worldwide distribution networks (SimTel.net, Shareware.com and others),  
is a trojan.  
Upon discovering - through LAN sniffing - that the program would attempt  
to connect to SMTP instead of POP3 when a regular mail check was performed,   
we reverse-engineered the software.  
ALL of the personal user data, including the user's password in encrypted  
format, is sent to an account on NetAddress - a free email provider -  
as soon as a valid internet connection is detected.  
Apart from this "feature", the software is 100 % functional and very  
well done.  
Well, it seems that 1999 is the worst year for privacy...  
  
More detailed information can be found on our web site at  
http://cool.icestorm.net/aeon/news.html  
  
  
---------------------------------------------------------------------  
Aeon Labs  
http://cool.icestorm.net/aeon  
  
[http://cool.icestorm.net/aeon/news.html]  
  
03.99]  
  
ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan.  
It has been spread through several worldwide distribution networks (SimTel.net,   
Shareware.com and others) as proml121.zip.  
  
Upon discovering - through LAN sniffing - that the program would attempt to   
connect to SMTP instead of POP3 when a regular mail check was performed, we   
reverse-engineered the software.  
  
The executable, which appears to have been created with Borland Delphi, has been   
packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make   
disassembly harder.  
  
ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created,   
an "ini" file containing the users full name, passwords, email addresses,   
servers and more is generated.  
  
Prior to doing any other action, the program performs a check for a valid   
network connection which, if found, allows for the sending of ALL of the  
personal user data, including the user's password in encrypted format, to an   
account on NetAddress - a free email provider.  
  
Apart from this "feature", the software is 100 % functional and very well done.  
  
For further information or a more detailed analysis contact us. <[email protected]>  
  
---------------------------------------------------------------------------------  
  
Date: Sat, 20 Mar 1999 03:51:00 -0500 (EST)  
From: [email protected]  
To: [email protected]  
Subject: Re: your mail  
  
currently our members have disassembled and analyzed the whole executable.  
the only thing it appears to do as a trojan is to send the accounts data  
entered by the user: full name, organization, email address, user name,  
password (encrypted), smtp and pop3 servers, etc.  
and since promail supports multiple accounts, each newly created account  
is sent.  
the data for each account is contained in a text file which is used to  
initialize promail at run-time. the same text file is used as body of  
the email which is sent to the author (supposedly) of the program.  
it appears that all emails are sent with same subject line: "kirio".  
  
the program also creates the file promail.pml in its directory. it's a  
zero length file used as permanent flag to "remember" to the trojan that  
one or more accounts data could not be sent in the last session (for  
example, when accounts are created off-line, or when not followed by a  
mail check in the same session).  
  
we also managed to crack the mailbox to which accounts data is sent.  
about ~80 emails (== accounts) were found and another dozen was  
received after only ten minutes or so.  
accounts for microsoft, michigan us army, old bridge chemicals and a  
videogames company - amongst the others - were found.  
  
we have merely informed a _contact_ (not the ml) in ntbugtraq and  
several "underground" news/security sites.  
well you can contact the various *traq mailing lists if you want. we  
don't care if people still trust anything that can be downloaded from  
the net anyway. i guess we're not exactly "white hat" hackers :P  
  
if you need any help or further analysis on a specific part of the program  
please feel free to contact us.  
  
  
------------------------------------------------------------------------  
Aeon Labs <[email protected]>  
http://cool.icestorm.net/aeon  
  
---------------------------------------------------------------------------------  
  
Date: Sun, 21 Mar 1999 09:40:26 +0100  
From: Patrick Oonk <[email protected]>  
To: [email protected]  
Subject: [[email protected]: ProMail trojan proof]  
  
----- Forwarded message from Patrick Oonk <[email protected]> -----  
  
Hi,  
  
I've tested the ProMail Trojan, it sends the info  
to [email protected] using the smtp server you   
supply when creating an account.  
  
I'll Cc: [email protected] and [email protected]  
  
ProMail can still be downloaded at many sites,  
just check  
http://search.shareware.com/code/engine/File?archive=sim-win95&file=email%2fproml121%2ezip&size=409141  
  
These are the queue files at my smtp server after  
I installed ProMail and created an account:  
  
$ more /var/spool/mqueue/qfPAA17183  
V2  
T921939650  
K921939657  
N1  
P30435  
I6/0/88205  
M<[email protected]>... reply: read error from office.pine.nl.  
Fb  
$rSMTP  
$sfoo  
$_foo.domain.com [10.0.0.1]  
S<[email protected]>  
RPFD:<[email protected]>  
H?P?Return-Path: <[email protected]>  
HReceived: from foo (foo.domain.com [10.0.0.1])  
by bar.domain.com (8.9.1/8.9.1) with SMTP id PAA17183  
for <[email protected]>; Sat, 20 Mar 1999 15:20:50 +0100 (MET)  
H?D?Date: Sat, 20 Mar 1999 15:20:50 +0100 (MET)  
H?F?From: [email protected]  
H?M?Message-Id: <[email protected]>  
HTo: [email protected]  
HSubject: kirio  
  
$ more /var/spool/mqueue/dfPAA17183  
Name=New Account  
  
[From]  
[email protected]  
Name=Patrick Oonk  
Organization=Pine Internet B.V.  
  
[ReplyTo]  
[email protected]  
Name=Patrick Oonk  
  
[POP3]  
Server=pop.domain.com  
Port=110  
User=patrick  
Password=1hFATUIxWOkJ3b3N3chBXZrFmZMUE  
PromptPassword=0  
DoPOP=1  
StandardDownload=0  
  
[SMTP]  
Server=smtp.domain.com  
Port=25  
DoSMTP=1  
  
[Filter]  
Keep=  
Delete=  
--   
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :  
: Pine Internet B.V. Consultancy, installatie en beheer :  
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :  
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :  
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :  
  
  
----- End forwarded message -----  
  
--   
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :  
: Pine Internet B.V. Consultancy, installatie en beheer :  
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :  
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :  
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :  
: A signature starts with "-- <enter>". :  
  
---------------------------------------------------------------------------------  
  
Date: Mon, 22 Mar 1999 18:20:50 +0900 (JST)  
From: Aeon Labs <[email protected]>  
To: [email protected]  
Subject: ProMAIL users  
  
So far we have collected hundreds of email *addresses*  
from [email protected] (only the headers were  
retrieved, we don't want their passwords/personal data/etc).  
With these addresses, users of ProMail could be warned  
about the problem with their passwords.  
If you can find people who are willing to do the work,  
we'll send you a list of the addresses we have collected.  
  
-----------------------------------------------------------------------------  
Aeon Labs <[email protected]>  
http://cool.icestorm.net/aeon  
  
---------------------------------------------------------------------------------  
  
http://www.europe.datafellows.com/v-descs/promail.htm  
  
Data Fellows' Virus Information Pages: Promail  
  
Computer Virus Information Pages  
  
F-Secure Anti-Virus   
NAME: Promail  
ALIAS: Trojan.PWS.Promail, PWS.Promail  
SIZE: 583168 An application called Promail 1.21 is a trojan. This version was distributed on several shareware sites  
in March 1999.  
  
When Promail 1.21 is run, it tries to steal the current user's passwords and other information.  
  
Promail is supposed to be a free program to maintain several e-mail accounts belonging to a single user. Promail is  
written in Delphi and packed with Petite executable file compressor.  
  
The copyright belongs to SmartWare Inc. (most likely fake), and the About box states that the program is based on an  
open source code by Michael Haller. Mr. Haller has nothing to do with the trojan. He has developed a free program  
Phoenix Mail program earlier and has made the full source code of it available. Now some malicious person has taken  
the source code, modified it to include the password stealing routine and is distributing it as Promail.  
  
The Promail creates its own accounts (entries) for each e-mail account a user maintains. When a user creates new  
accounts in Promail he is instructed to enter the following information:  
  
User's e-mail address  
Real name  
Organization  
Reply-to e-mail adderss  
Reply-ty real name  
  
Then the user is supposed to enter information about his POP3 and SMTP accounts:  
  
POP3 user name  
POP3 password  
POP3 server name  
POP3 port (default: 110).  
SMTP server name  
SMTP port (default: 25).  
  
Account information is written to ACCOUNT.INI file that is located in a folder that Promail creates for each e-mail  
account a user maintains. The POP3 password is stored in an encrypted form (with weak crypto).  
  
When a user tries to get e-mail from any of maintained accounts the Promail first e-mails the contents of ACCOUNT.INI  
files to a free web-based e-mail service provider NetAddress (account: [email protected]). So the person who owns  
this account (and is supposed to be the author of Promail password stealing trojan), gets all information about  
users' e-mail accounts on different mail servers.  
  
The Promail also creates an empty file PROMAIL.PML which servers as a flag for the trojan that not all ACCOUNT.INI   
files have been sent to the author of the trojan.  
  
If you are using or were using Promail it is HIGHLY recommended that you changed all your passwords because your  
accounts could be used by trojan author or other hackers for illegal purposes or for spying after you.  
  
All viruses listed in the Virus description pages can be detected and removed with Data Fellows Anti-virus and Data  
Security software.  
  
---------------------------------------------------------------------------------  
  
Date: Fri, 26 Mar 1999 11:48:43 +0100  
From: Patrick Oonk <[email protected]>  
To: [email protected]  
Subject: ProMail trojan still available at some sites  
  
Hi,  
  
Today (one week after the first warnings) I was still able to  
download the ProMail trojan horse from the following sites:  
  
ftp://sunsite.anu.edu.au/pub/pc/simtelnet/win95/email/proml121.zip  
ftp://ftp.sogang.ac.kr/pub/simtelnet/win95/email/proml121.zip  
ftp://ftp.nus.sg/pub/simtelnet/win95/email/proml121.zip  
  
The site owners have been warned.  
  
Patrick  
--  
: Patrick Oonk - http://patrick.mypage.org/ - [email protected] :  
: Pine Internet B.V. Consultancy, installatie en beheer :  
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :  
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :  
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :  
: A signature starts with "-- <enter>". :  
  
`
JSON