From owner-freebsd-advocacy  Sat Mar 20  5:21:47 1999
Delivered-To: freebsd-advocacy@freebsd.org
Received: from ifi.uio.no (ifi.uio.no [129.240.64.2])
	by hub.freebsd.org (Postfix) with ESMTP id 4A2D21504A
	for <advocacy@freebsd.org>; Sat, 20 Mar 1999 05:21:35 -0800 (PST)
	(envelope-from des@ifi.uio.no)
Received: from bergelmir.ifi.uio.no (2602@bergelmir.ifi.uio.no [129.240.65.172])
	by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id OAA08469
	for <advocacy@freebsd.org>; Sat, 20 Mar 1999 14:21:15 +0100 (MET)
Received: (from des@localhost) by bergelmir.ifi.uio.no ; Sat, 20 Mar 1999 14:21:15 +0100 (MET)
To: advocacy@freebsd.org
Subject: [Patrick Oonk <patrick@pine.nl>] Promail trojan
From: Dag-Erling Smorgrav <des@ifi.uio.no>
Date: 20 Mar 1999 14:21:14 +0100
Message-ID: <xzpvhfws3ed.fsf@bergelmir.ifi.uio.no>
Lines: 54
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-advocacy@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

...or, "Why You Should Never Trust Closed-Source Software".

DES
-- 
Dag-Erling Smorgrav - des@ifi.uio.no
------- Start of forwarded message -------
Message-ID:  <19990319224030.D7090@atro.pine.nl>
Date:         Fri, 19 Mar 1999 22:40:30 +0100
Reply-To: patrick@pine.nl
From: Patrick Oonk <patrick@pine.nl>
Subject:      Promail trojan
To: BUGTRAQ@NETSPACE.ORG

http://cool.icestorm.net/aeon/news.html

News and security advisories from Aeon Labs.

[03.99]

ProMail v1.21, an advanced freeware mail program for Windows 95/98, is a
trojan.
It has been spread through several worldwide distribution networks
(SimTel.net, Shareware.com and others) as proml121.zip.

Upon discovering - through LAN sniffing - that the program would attempt
to connect to SMTP instead of POP3 when a regular mail check was
performed, we reverse-engineered the software.

The executable, which appears to have been created with Borland Delphi,
has been packed with Petite (a shareware Win32-EXE compressor) and then
"hexed" to make disassembly harder.

ProMail v1.21 supports multiple mailboxes; every time a new mailbox is
created, an "ini" file containing the users full name, passwords, email
addresses, servers and more is generated.

Prior to doing any other action, the program performs a check for a
valid network connection which, if found, allows for the sending of ALL
of the personal user data, including the user's password in encrypted
format, to an account on NetAddress - a free email provider.

Apart from this "feature", the software is 100 % functional and very
well done.

For further information or a more detailed analysis contact us.

--
: Patrick Oonk -    http://patrick.mypage.org/  - patrick@pine.nl :
: Pine Internet B.V.           Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :

------- End of forwarded message -------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-advocacy" in the body of the message