http://cool.icestorm.net/aeon/news.html News and security advisories from Aeon Labs. [03.99] ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan. It has been spread through several worldwide distribution networks (SimTel.net, Shareware.com and others) as proml121.zip. Upon discovering - through LAN sniffing - that the program would attempt to connect to SMTP instead of POP3 when a regular mail check was performed, we reverse-engineered the software. The executable, which appears to have been created with Borland Delphi, has been packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make disassembly harder. ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created, an "ini" file containing the users full name, passwords, email addresses, servers and more is generated. Prior to doing any other action, the program performs a check for a valid network connection which, if found, allows for the sending of ALL of the personal user data, including the user's password in encrypted format, to an account on NetAddress - a free email provider. Apart from this "feature", the software is 100 % functional and very well done. For further information or a more detailed analysis contact us. -- : Patrick Oonk - http://patrick.mypage.org/ - patrickat_private : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk :
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:39:18 PDT