Date: Fri, 19 Mar 1999 09:41:18 +0100
From: Aeon Labs <aeon@army.net>
To: packetstorm@genocide2600.com
Subject: security/privacy news

(Perhaps this might be of interest to Your readers.)

ProMail v1.21, an advanced freeware mail program spread through several
worldwide distribution networks (SimTel.net, Shareware.com and others),
is a trojan.
Upon discovering - through LAN sniffing - that the program would attempt
to connect to SMTP instead of POP3 when a regular mail check was performed, 
we reverse-engineered the software.
ALL of the personal user data, including the user's password in encrypted
format, is sent to an account on NetAddress - a free email provider -
as soon as a valid internet connection is detected.
Apart from this "feature", the software is 100 % functional and very
well done.
Well, it seems that 1999 is the worst year for privacy...

More detailed information can be found on our web site at
http://cool.icestorm.net/aeon/news.html


  ---------------------------------------------------------------------
  Aeon Labs
  http://cool.icestorm.net/aeon

[http://cool.icestorm.net/aeon/news.html]

03.99]

ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a trojan.
It has been spread through several worldwide distribution networks (SimTel.net, 
Shareware.com and others) as proml121.zip.

Upon discovering - through LAN sniffing - that the program would attempt to 
connect to SMTP instead of POP3 when a regular mail check was performed, we 
reverse-engineered the software.

The executable, which appears to have been created with Borland Delphi, has been 
packed with Petite (a shareware Win32-EXE compressor) and then "hexed" to make 
disassembly harder.

ProMail v1.21 supports multiple mailboxes; every time a new mailbox is created, 
an "ini" file containing the users full name, passwords, email addresses, 
servers and more is generated.

Prior to doing any other action, the program performs a check for a valid 
network connection which, if found, allows for the sending of ALL of the
personal user data, including the user's password in encrypted format, to an 
account on NetAddress - a free email provider.

Apart from this "feature", the software is 100 % functional and very well done.

For further information or a more detailed analysis contact us. <aeon@army.net>

---------------------------------------------------------------------------------

Date: Sat, 20 Mar 1999 03:51:00 -0500 (EST)
From: aeon@army.net
To: packetstorm@genocide2600.com
Subject: Re: your mail

currently our members have disassembled and analyzed the whole executable.
the only thing it appears to do as a trojan is to send the accounts data
entered by the user: full name, organization, email address, user name,
password (encrypted), smtp and pop3 servers, etc.
and since promail supports multiple accounts, each newly created account
is sent.
the data for each account is contained in a text file which is used to
initialize promail at run-time.  the same text file is used as body of
the email which is sent to the author (supposedly) of the program.
it appears that all emails are sent with same subject line: "kirio".

the program also creates the file promail.pml in its directory.  it's a
zero length file used as permanent flag to "remember" to the trojan that
one or more accounts data could not be sent in the last session (for
example, when accounts are created off-line, or when not followed by a
mail check in the same session).

we also managed to crack the mailbox to which accounts data is sent.
about ~80 emails (== accounts) were found and another dozen was
received after only ten minutes or so.
accounts for microsoft, michigan us army, old bridge chemicals and a
videogames company - amongst the others - were found.

we have merely informed a _contact_ (not the ml) in ntbugtraq and
several "underground" news/security sites.
well you can contact the various *traq mailing lists if you want.  we
don't care if people still trust anything that can be downloaded from
the net anyway.  i guess we're not exactly "white hat" hackers :P

if you need any help or further analysis on a specific part of the program
please feel free to contact us.


  ------------------------------------------------------------------------
  Aeon Labs <aeon@army.net>
  http://cool.icestorm.net/aeon

---------------------------------------------------------------------------------

Date: Sun, 21 Mar 1999 09:40:26 +0100
From: Patrick Oonk <patrick@pine.nl>
To: tattooman@ADRIC.GENOCIDE2600.COM
Subject: [patrick@pine.nl: ProMail trojan proof]

----- Forwarded message from Patrick Oonk <patrick@pine.nl> -----

Hi,

I've tested the ProMail Trojan, it sends the info
to naggamanteh@usa.net using the smtp server you 
supply when creating an account.

I'll Cc: abuse@usa.net and bugs@shareware.com

ProMail can still be downloaded at many sites,
just check
http://search.shareware.com/code/engine/File?archive=sim-win95&file=email%2fproml121%2ezip&size=409141

These are the queue files at my smtp server after
I installed ProMail and created an account:

$ more /var/spool/mqueue/qfPAA17183
V2
T921939650
K921939657
N1
P30435
I6/0/88205
M<naggamanteh@usa.net>... reply: read error from office.pine.nl.
Fb
$rSMTP
$sfoo
$_foo.domain.com [10.0.0.1]
S<patrick@pine.nl>
RPFD:<naggamanteh@usa.net>
H?P?Return-Path: <patrick@pine.nl>
HReceived: from foo (foo.domain.com [10.0.0.1])
        by bar.domain.com (8.9.1/8.9.1) with SMTP id PAA17183
        for <naggamanteh@usa.net>; Sat, 20 Mar 1999 15:20:50 +0100 (MET)
H?D?Date: Sat, 20 Mar 1999 15:20:50 +0100 (MET)
H?F?From: patrick@pine.nl
H?M?Message-Id: <199903201420.PAA17183@bar.domain.com>
HTo: naggamanteh@usa.net
HSubject: kirio

$ more /var/spool/mqueue/dfPAA17183
Name=New Account

[From]
EMail=patrick@pine.nl
Name=Patrick Oonk
Organization=Pine Internet B.V.

[ReplyTo]
EMail=patrick@pine.nl
Name=Patrick Oonk

[POP3]
Server=pop.domain.com
Port=110
User=patrick
Password=1hFATUIxWOkJ3b3N3chBXZrFmZMUE
PromptPassword=0
DoPOP=1
StandardDownload=0

[SMTP]
Server=smtp.domain.com
Port=25
DoSMTP=1

[Filter]
Keep=
Delete=
-- 
: Patrick Oonk -    http://patrick.mypage.org/  - patrick@pine.nl :
: Pine Internet B.V.           Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :


----- End forwarded message -----

-- 
: Patrick Oonk -    http://patrick.mypage.org/  - patrick@pine.nl :
: Pine Internet B.V.           Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :
: A signature starts with "-- <enter>".                           :

---------------------------------------------------------------------------------

Date: Mon, 22 Mar 1999 18:20:50 +0900 (JST)
From: Aeon Labs <aeon@army.net>
To: packetstorm@genocide2600.com
Subject: ProMAIL users

So far we have collected hundreds of email *addresses*
from naggamanteh@usa.net (only the headers were
retrieved, we don't want their passwords/personal data/etc).
With these addresses, users of ProMail could be warned
about the problem with their passwords.
If you can find people who are willing to do the work,
we'll send you a list of the addresses we have collected.

  -----------------------------------------------------------------------------
  Aeon Labs <aeon@army.net>
  http://cool.icestorm.net/aeon

---------------------------------------------------------------------------------

http://www.europe.datafellows.com/v-descs/promail.htm

Data Fellows' Virus Information Pages:  Promail

Computer Virus Information Pages
   
   F-Secure Anti-Virus 
   NAME: Promail
   ALIAS: Trojan.PWS.Promail, PWS.Promail
   SIZE: 583168 An application called Promail 1.21 is a trojan. This version was distributed on several shareware sites
   in March 1999.
   
   When Promail 1.21 is run, it tries to steal the current user's passwords and other information.
   
   Promail is supposed to be a free program to maintain several e-mail accounts belonging to a single user. Promail is
   written in Delphi and packed with Petite executable file compressor.
   
   The copyright belongs to SmartWare Inc. (most likely fake), and the About box states that the program is based on an
   open source code by Michael Haller. Mr. Haller has nothing to do with the trojan. He has developed a free program
   Phoenix Mail program earlier and has made the full source code of it available. Now some malicious person has taken
   the source code, modified it to include the password stealing routine and is distributing it as Promail.
   
   The Promail creates its own accounts (entries) for each e-mail account a user maintains. When a user creates new
   accounts in Promail he is instructed to enter the following information:
   
        User's e-mail address
        Real name
        Organization
        Reply-to e-mail adderss
        Reply-ty real name

   Then the user is supposed to enter information about his POP3 and SMTP accounts:

        POP3 user name
        POP3 password
        POP3 server name
        POP3 port (default: 110).
        SMTP server name
        SMTP port (default: 25).
   
   Account information is written to ACCOUNT.INI file that is located in a folder that Promail creates for each e-mail
   account a user maintains. The POP3 password is stored in an encrypted form (with weak crypto).
   
   When a user tries to get e-mail from any of maintained accounts the Promail first e-mails the contents of ACCOUNT.INI
   files to a free web-based e-mail service provider NetAddress (account: naggamanteh@usa.net). So the person who owns
   this account (and is supposed to be the author of Promail password stealing trojan), gets all information about
   users' e-mail accounts on different mail servers.
   
   The Promail also creates an empty file PROMAIL.PML which servers as a flag for the trojan that not all ACCOUNT.INI 
   files have been sent to the author of the trojan.
   
   If you are using or were using Promail it is HIGHLY recommended that you changed all your passwords because your
   accounts could be used by trojan author or other hackers for illegal purposes or for spying after you.
   
   All viruses listed in the Virus description pages can be detected and removed with Data Fellows Anti-virus and Data
   Security software.

---------------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 11:48:43 +0100
From: Patrick Oonk <patrick@pine.nl>
To: BUGTRAQ@netspace.org
Subject: ProMail trojan still available at some sites

Hi,

Today (one week after the first warnings) I was still able to
download the ProMail trojan horse from the following sites:

ftp://sunsite.anu.edu.au/pub/pc/simtelnet/win95/email/proml121.zip
ftp://ftp.sogang.ac.kr/pub/simtelnet/win95/email/proml121.zip
ftp://ftp.nus.sg/pub/simtelnet/win95/email/proml121.zip

The site owners have been warned.

        Patrick
--
: Patrick Oonk -    http://patrick.mypage.org/  - patrick@pine.nl :
: Pine Internet B.V.           Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :
: A signature starts with "-- <enter>".                           :