Energy users victimized byelectronic Trojan horse
- By Heather Harreld
- Apr 27, 1997
Federal users in the western United States are among the victims of a Trojan horse program that when activated deletes all files on a hard drive.
The Energy Department's Computer Incident Advisory Capability team obtained a copy of the Trojan program called AOL4FREE.COM and is warning users not to run any program with this name. CIAC warns that users should not download any program or open e-mail attachments with this name.
When this program is executed all files and directories on the "C" drive of Windows-based PCs will be deleted according to CIAC member William Orvis. Unlike a virus a Trojan program cannot be spread to other machines and it will not be detected by most anti-virus programs.
Although computer emergency response teams such as CIAC routinely do not reveal how many federal users may have been affected by security vulnerabilities Orvis said federal users have fallen victim to the Trojan program. Orvis said there were at least 150 separate e-mail addresses on the first known program which was isolated at a California business. At least 1 500 people have probably received or will receive this program he said. To date the Trojan horse program has hit only users in the western part of the country.
"Since we put out the alert we've had several different groups that had a lot of files disappear " Orvis said. "We've been hearing from people within the Department of Energy that have been bit by this thing. It doesn't seem to be picking any specific group."
This particular security threat may catch more users unaware because of the allure of its name - promising on-line access for no charge - and because "chain letter-like" e-mail messages with the same name which describe a hoax virus have been circulating throughout the country Orvis said. The AOL4FREE virus warning message alerts users to a virus-infected e-mail message with the same name that infects and destroys a system if the message is read. This warning is a hoax but it urges users to send the e-mail to as many people as possible to alert them to the presence of the virus.
The original AOL4FREE Macintosh program was developed to fraudulently create free America Online accounts. The program's creator has pleaded guilty to defrauding America Online. Orvis warns users not to launch any program with this name.
"If it is the one that hacks the AOL system it's illegal " he said. "If it's the one that destroys your system you don't want it unless you want to really clean up a machine because this gets everything."
Unlike viruses which can circulate for years infecting computers Trojan horse programs usually have a much shorter life span. Orvis said the program most likely will be dead in several months if people are receiving it as part of a mailing list. However if someone is actively sending out the program it could live much longer he said.
If the program is launched users can immediately hit "Ctrl + C" before the Trojan horse finishes deleting all files according to the security alert. The files are deleted with the DOS "DELTREE" command so the contents of the files still remain on the hard drive only the directory entries will be deleted. Those machines equipped with programs that allow recovery of deleted files will allow the recovery of some or all of the files.
Jonathan Wheat senior anti-virus laboratory analyst at the National Computer Security Association said that Trojan horse programs typically are programmed by people who want to do harm. Wheat said this program is particularly dangerous because of the common belief among users that AOL4FREE is a hoax virus.
"The creator is probably banking on the fact that everyone is thinking it's a hoax " Wheat said. "It's going to start a new trend. We saw four or five [virus] hoaxes go by. Now I can foresee any hoax coming out and a week later someone is going to write a Trojan program."