-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
SingCERT Advisory SA-99.01.urlsnoop_trojan_horse
Original issue date: 27 January, 1999

Topic: URLSnoop Trojan Horse
- - -------------------------------------------------------------------------

Network Associates recently announced the discovery of a new Trojan
horse publicly called "picture.exe". The "picture.exe" Trojan is an
executable Windows program that is distributed as an e-mail attachment.
Upon execution, it plants a program on the user's system that tries to
steal personal information.

SingCERT strongly recommends against executing e-mail attachments of
unknown or unreliable origin. The nature of a Trojan horse is such that
it is only dangerous when executed. If you suspect the "picture.exe"
Trojan to be present on your system, please refer to section 3 below.

- - -------------------------------------------------------------------------

1.  Description

Shortly before Christmas last year, "picture.exe" surfaced when some
Internet users received Spam e-mail with the subject line "batty".
Several postings to Usenet virus groups followed. Network Associates
engineers then received e-mail alerts from victims of this Trojan horse
program.

Upon execution, "picture.exe" expands into two other executables
("note.exe" and "manager.exe") and places them into the Windows directory.
The Trojan also adds a line to the "win.ini" file that automatically runs
"note.exe" at system startup.

At subsequent system startups, the Trojan searches the computer for ".txt"
or ".html" and collects a list of URLs from the temporary Internet cache
directory. If AOL client software is installed, AOL username and password
information is also extracted. Finally, the Trojan will attempt to send
all this information, stored and encrypted into two files ("$2321.dat" and
"$4135.dat"), to an e-mail address in China.

2.  Security Implications

The "picture.exe" Trojan horse is interesting and unusual because it is
capable of sending information out from a computer. AOL users will be
especially concerned because the Trojan appears to extract AOL usernames
and passwords. Other Internet users should also find it disturbing that
private information from their computers is being gathered.

3.  Solution

The nature of a Trojan horse program makes it harmless unless executed.
Therefore, the best way to prevent a Trojan horse from doing damage is
not to run it in the first place. This general rule of thumb should be
observed when executable e-mail attachments are received from an unknown
or unreliable source.

If the "picture.exe" Trojan horse is already present on your system and
has been executed, SingCERT recommends deletion of the Trojan program to
remove it. Search for "note.exe" and "manager.exe" in the Windows
directory and delete them. Edit the "win.ini" with a text editor, and
remove "note.exe" from the "run=" line. You may also wish to search for
the two encrypted data files ("$2321.dat" and "$4135.dat") and delete them
as well.

Additionally, it is important to refrain from executing the "picture.exe"
attachment again. While a Trojan horse program does not spread on its own
like a virus does, it will continue to work if executed again. SingCERT
suggests that you delete the offending e-mail.

Network Associates has updated its McAfee anti-virus program to detect the
"picture.exe" Trojan horse. McAfee refers to the Trojan program by its
official name, "URLSnoop". You can visit their Web site to download an
updated DAT file for your virus scanner.

4.  References

[1] Network Associates, PICTURE.EXE Technical Information
    http://www.nai.com/products/antivirus/picture_exe.asp

[2] NEWSBYTES News Network, New Trojan Horse Warning Issued
    http://www.nbnn.com/pubNews/124066.html

[3] ITrain, Malicious Program Steals Passwords & URLs
    http://www.itinfo.org/itinfo/1999/it990107a.html

[4] ZDNet, Picture.exe really a Trojan horse
    http://www.zdnet.com/zdnn/stories/news/0,4586,2183935,00.html

[5] MSNBC, Picture.exe really a Trojan horse
    http://www.msnbc.com/news/229572.asp

- - -------------------------------------------------------------------------

SingCERT Contact Information
- - --------------------------

Email: cert@singcert.org.sg

Phone: +65 874-6666 (office hours hotline)
           SingCERT personnel answer 0830 to 1700 SGT (GMT+8)

Fax:   +65 872-6198

Postal address:
       SingCERT
       3rd Floor Computer Centre
       National University of Singapore
       10 Kent Ridge Crescent
       Singapore 119260

Using encryption
       We strongly urge you to encrypt sensitive information sent by email.
       We support PGP. Contact SingCERT for more information.
       Location of SingCERT PGP key:
           http://www.singcert.org.sg/asc/singcert.asc

Getting security information
       SingCERT publications and other security information are available
       from:
           http://www.singcert.org.sg/
           ftp://ftp.singcert.org.sg/pub/

       To be added to our mailing list for advisories and bulletins, send
       an empty email message to:
           singcert-advisory-subscribe@singcert.org.sg

- - ----------------------------------------------------------------------------
Copyright 1999 SingCERT.
- - ----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNq5/NXr03uiLwmvpAQFIaAP8CUImJHNiY5kWLQNmQBSta1zJztuej8zn
/qyAT3q7B6tq1ujNZzdefi7T2CLzgBL2k+AxqHlndVRI5uE7r4+7BAtkVgzNAi8f
GMyMCXbSAMMmeWx3H34aNzyXnH31bPmBra+Wv5JjfSo9AEBfd4H3/TeN4sTBuJj5
iefogb3K0d0=
=OvcG
-----END PGP SIGNATURE-----