[ISN] Picture.exe really a Trojan horse

From: mea culpa (jerichoat_private)
Date: Thu Jan 07 1999 - 15:24:57 PST

  • Next message: mea culpa: "[ISN] Should the U.S. continue to plan enemy attacks via cyberspace?"

    Forwarded From: darek milewski <darekmat_private>
    Picture.exe really a Trojan horse
    By Bob Sullivan, MSNBC
    January 7, 1999 5:28 AM PT
    URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2183935,00.html
    Here's a computer virus story that's not an urban legend. 
    If you receive an attachment in e-mail called "picture.exe," don't open
    it. If you do, what happens next reads a bit like a spy novel -- this
    Trojan horse drops two more programs called note.exe and manager.exe which
    will search through your internet cache directory and, if you have one,
    the directory that holds your America Online username and password. It
    then encrypts that information, tries to establish an Internet connection,
    and sends it all to an e-mail address in China.
    Picture.exe first surfaced right before Christmas, when some Net users
    were spammed with e-mail with the subject line "batty." Several postings
    to Usenet virus groups followed; then Network Associates engineeers
    received several e-mail alerts to what appeared to be technically not a
    virus but a Trojan horse. (A Trojan horse does not replicate on its own,
    but a virus does.) 
    Network Associates has since updated its McAfee virus program to detect
    picture.exe (If you already have the software, an updated version can be
    downloaded from this site), but many questions remain about the prying
    "This is a more interesting Trojan than normal,"  said Vincent Gullotto,
    manager of the antivirus emergency response team for Network Associates.
    "It actually has the capability to take information and send it someplace.
    This one goes further than most and if it's successful can use the
    information against you." 
    A prying program Network Associates received an unusually large number of
    e-mails from victims of picture.exe, and there are already dozens of
    Usenet posts with security experts warning about the danger. 
    Here's how it works: 
    Once a recipient opens picture.exe, that file expands into two other
    executables -- note.exe and manager.exe -- and places them into the
    Windows subdirectory. The following line is also added to the win.ini
    file: "run=note.exe." That makes note.exe run the next time Windows is
    According to Network Associates, note.exe then gathers information,
    apparently looking through the temporary Internet cache directory in an
    attempt to determine what Web sites users have visited. It then encrypts
    that information into a DAT file. It also appear to look in the directory
    where AOL user information is stored. 
    Note.exe then builds a second DAT file. 
    "It's unclear right now what the second DAT file is for," Gulotto said. 
    Usenet poster David Crick, a British computer science student who received
    the e-mail Dec. 23 and started the Usenet discussions, said, "I thought
    when I started downloading a very large e-mail: 'Either someone's sent me
    an interesting piece of software, or it's a virus.' It turned out to be a
    combination of the two -- an interesting virus," he said. 
    Crick says the file employs a crude encryption technique, a 5-digit ASCII
    character shift -- where a=f, b=g, and so on. Other Usenet posters say the
    DAT file is full of e-mail addresses. 
    After note.exe does its thing, manager.exe runs, attempting to e-mail the
    encrypted file to a e-mail addresses with the domain of a Chinese ISP. The
    recipient, of course, could be anywhere. 
    "It appears to try to gain access to an ISP," Gulloto said. Several Usenet
    posts say that upon reboot, the Trojan horse opens up dial-up networking
    and tries to dial out of the infected PC. 
    There are many unanswered questions -- chief among them, why China? 
    Gulotto said last year his firm worked on a similar Trojan horse/virus
    with the same M/O. Called SemiSoft, it also gathers information and tries
    to send it to an e-mail address hosted in China.  Network Associates is
    continuing to study picture.exe. 
    America Online was not available for comment.
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:15 PDT