-={HOME}=-

VIRUS ALERT

AOL4FREE.COM

Trojan Horse Program Destroys Hard Drives

The following information is from the CIAC bulletin number H-47 -- April 16, 1997
CIAC Is the U.S. Department of Energy Computer Incident Advisory Capability

PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes all files on a hard drive is circulating the Internet.
PLATFORM: DOS/Windows-based PCs
DAMAGE: When the AOL4FREE.COM program is executed, all files and directories on the users C: drive are deleted.
SOLUTION: DO NOT execute this program. If the program starts executing, quickly pressing Ctrl-C will save some of your files.
VULNERABILITY ASSESSMENT: Users who download the trojaned AOL4FREE.COM program and executes it will destroy all the files and directories on their DOS C: drive.

NOTE: THIS IS DIFFERENT FROM THE AOL4FREE HOAX MESSAGE.

CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard drives.

CIAC has obtained a Trojaned copy of the AOL4FREE.COM program that, if run, deletes all the files on a user's hard drive. If you are e-mailed this file, or if you have downloaded it from an online service, do not attempt to run it.
If the program was received as an attachment to an e-mail message, do not double click (open) it. Opening an attached program runs that program, which in this case deletes all the files on your hard drive. The original AOL4FREE.COM was a program for fraudulently creating free AOL (America Online) accounts. Note that any attempt to use the original AOL4FREE.COM program may subject you to prosecution.

NOTE: Most antivirus programs will not detect this or other Trojan Horse programs.

Detection

AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long.
It masquerades as the AOL4FREE program that allows the fraudulent creation of free AOL accounts. The following text is readable in the AOL4FREE.COM file if you display it with the DOS TYPE command or the DOS EDIT program: Note that this text may appear in any program compiled with the BAT2EXEC program and has nothing to do with the Trojan Horse.

If you open the AOL4FREE.COM file with a disk editor or with the Windows Notepad program, the following text is found at the end of the second sector of the file:

Recovery

Pressing Ctrl-C before the Trojan Horse finishes deleting all your files will save some of them. If the program runs to completion, all the files on your root drive will have been deleted. The files are deleted with the DOS DELTREE command, so the contents of the files are still on your hard disk, only the directory entries have been deleted. Any program that can recover deleted files will allow you to recover some or all of the files on your hard disk.

While attempting to recover files, be sure to not write any new files onto the hard disk as the new files may overwrite the contents of a deleted file, making it impossible to recover. You will probably have to boot your system with a floppy and run any recovery programs from there.

If you happen to have one of the delete tracking programs installed on your system (a program that keeps track of deleted files in case you want them back) the recovery operation will be relatively simple. Follow the directions in your delete tracking program to recover your files. If not, you will probably have to recover each file individually, supplying the first character of the file name, which is overwritten in the directory when the file is deleted. Most DOS/Windows disk tools programs also have the capability for recovering deleted files so follow the directions included with those programs to do so.

Background

The original AOL4FREE.COM program was developed to fraudulently create free AOL accounts. The creator of that program has pleaded guilty to defrauding America Online for distributing that program. Anyone else attempting to use that program to defraud AOL could also be prosecuted.

An e-mail message was recently circulating about the Internet that warned of an AOL4FREE virus, but that warning is either a hoax or a badly misunderstood description of this Trojan Horse.

  1. This program is a Trojan Horse, not a virus.
    It does not spread on its own.
  2. A Trojan Horse must be run to do any damage.
  3. Reading an e-mail message with the Trojan Horse program as an attachment will not run the Trojan Horse and will not do any damage. Note that opening an attached program from within an e-mail reader runs that attached program, which may make it appear that reading the attachment caused the damage. Users should keep in mind that any file with a .COM or .EXE extension is a program, not a document and that double clicking or opening that program will run it.

CIAC still affirms that reading an e-mail message, even one with an attached program, can not do damage to a system.
The attachment must be both downloaded onto the system and run to do any damage.

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.


HOME
Back to the MAIN PAGE
Back to the VIRUS ALERT INDEX PAGE
Read the DISCLAIMER


Site development and administration by PCS