Trojan Horses

AOL Gold or "install.exe"
PKZ300B.ZIP & PKZ300B.EXE

The following was written in response to a Wall Street Journal article published November 15, 1995 titled "America On Line To Warn Users About Bad E-Mail" According to reports in the Wall Street Journal America On-line Inc. plans to warn subscribers of "a damaging piece of electronic mail that could corrupt their computers' hard drives." As with many well-intentioned press reports on computer security issues, this one has erred on the side of simplification, possibly causing serious confusion in the process.

Experts at the National Computer Security Association think it is important to stress that the electronic message itself is NOT destructive. The destructive component is a program file attached to the e-mail, which does, if executed, cause damage to files on the users hard disk. Any organization which enforces a sound policy concerning down loaded and unsolicited program files should be well-protected. A sample policy would be that "All down loaded and unsolicited program files must be checked for viruses and executed on a non-networked, non-production, properly backed up system, that is, a machine which is essentially expendable." Unfortunately, a lot of people may jump to the erroneous conclusion that the electronic mail itself is destructive simply because of the long running "Good Times" hoax. This has been dogging AOL and other On-line services for almost a year now in the form of warning messages, often circulated by people acting under the mistaken apprehension that they are genuine. The Good Times warning said computers could be damaged if users so much as read a piece of electronic mail with "Good Times" in the title or subject field. Both AOL and NCSA, as well as several government agencies, repeatedly issued statements that the alleged threat was a hoax.

This remains true, but clearly some people are determined to use electronic mail to spread destructive or malicious code. We must repeat that just reading e-mail won't harm the receiver's computer. However, there is one type of document which, if read on-line, could cause damage. This is a "smart document" created with a powerful macro-enabled word processor such as Microsoft Word (if you are browsing such documents on the World Wide Web, or downloading them from the Internet, you need to make sure that auto-execution of document macros is disabled in your word processing software. Alternatively, you should read "foreign" documents with a viewer program, such as Wordview, which is available free from Microsoft.

For more information visit the Alert page on NCSA's web site, http://www.ncsa.com or NCSA Virus Forum on CompuServe GO:NCSA

The bottom line in the current AOL warning is that executing a program file that someone sends you as an e-mail attachment has always been a risky business (colleagues who need to exchange program files in this way are well-advised to at least compress the files with a password before transmitting). In this particular incident, the attached destructive file, which is more correctly referred to as a Trojan Horse, is known as AOL Gold or just "install.exe" but it could be called anything.

For example, a few months ago a fake version of PKZIP.EXE was circulated claiming to be an upgrade to the popular compression software. It was in fact a Trojan Horse which, when executed, attempted to run the DELTREE and FORMAT commands.

PKZ300B.ZIP & PKZ300B.EXE are "trojan horse" programs which will IMMEDIATELY DELETE EVERYTHING ON YOUR HARD DISK. DO NOT USE THEM. IF YOU SEE PKZ300B, DELETE IT and DO NOT execute it. They are designed to look like new versions of PKWARE's "PKZIP" software. THERE IS NO NEW VERSION of PKZIP. Version 204G is the most recent release. Any version numbers higher than that are bogus.

The article in the Wall Street Journal concluded by saying "Security experts fear that such Trojan Horses will proliferate as programs become easier to attach to electronic mail and the use of networks grows." NCSA would concur with this assessment but feels it is important to stress the following points:

1. Users still can't get a virus from reading plain text e-mail
2. But on-line services and Internet connectivity do make it easy for even the most novice user to send and receive mail with attachments and attachments can contain all types of "nasty stuff". Unknown sources are not to be trusted. The bottom line is USER BEWARE of strangers bearing executable gifts.
3. As always protect your system by doing the following:

   Back up your system daily

   Use Anti Virus software regularly

   Keep your Anti Virus software updated

   Virus check everything coming into your system even from trusted sources!

Posted by: Vince Schiavone, Sysop News/Case Studies, NCSA Forum GO:NCSA
special thanks to Stephen Cobb, NCSA Florida office

For more information on viruses and other computer security Issues contact:
National Computer Security Association (NCSA)
Internet http://www.ncsa.com
CompuServe GO:NCSA
Phone (717) 258-1816