Picture.exe Virus Alert!

Benjamin Sher sher07 at bellsouth.net
Thu Jan 7 02:10:22 UTC 1999 

Dear Colleagues:

The following are excerpts from an MSNBC report just released.
Please check with your respective anti-virus program for an update.

Benjamin

PICTURE.EXE REALLY A TROJAN HORSE
E-mail attachment, if opened, tries to send private information to an
e-mail address originating in China.

By Bob Sullivan
MSNBC
Jan. 6

Here’s a computer virus story that’s not an urban legend. If you
receive an attachment in e-mail called "picture.exe," don’t open it. If
you do, what happens next reads a bit like a spy novel. This Trojan horse
drops two more programs called note.exe and manager.exe which will search
through your internet cache directory and, if you  have one, the directory
that holds your America Online username and password. It then encrypts
that information, tries to establish an Internet connection, and sends it
all to an e-mail address in China.

...

Network Associates has since updated its McAfee virus program        to
detect picture.exe. If you already have the software, an        updated
version can be downloaded from:

http://beta.nai.com/public/datafiles/3xupdates.htm

But many questions remain about the prying program. "This is a
more interesting Trojan than normal," said Vincent Gullotto, manager of
the antivirus emergency response team for Network  Associates. "It
actually has the capability to take information and send it someplace.
This one goes further than most and if it’s successful
can use the information against you."

Here’s how it works: Once a recipient opens picture.exe, that file      
expands into two other executables "note.exe" and "manager.exe"    and
places them into the Windows subdirectory. The following        line is
also added to the win.ini file: "run=note.exe." That makes note.exe run
the next time Windows is started. According to Network Associates,
note.exe then gathers information, apparently looking through the
temporary Internet cache directory in an attempt to determine what Web
sites users have visited. It then encrypts that information into a DAT
file. It also appear to look in the directory where AOL user information
is stored. Note.exe then builds a second DAT file.

...

After note.exe does its thing, manager.exe runs, attempting to e-mail the
encrypted file to a e-mail addresses with the domain of a Chinese ISP. The
recipient, of course, could be anywhere.



Benjamin Sher
Sher's Russian Web and Index
http://personal.msy.bellsouth.net/msy/s/h/sher07/

More information about the SEELANG mailing list