%%File: VIRS0140.TXT %%Name/Aliases: AOLGOLD, aolgold.zip, aol gold %%Platform: PC/MS-DOS %%Type: Trojan., %%Disk Location: aolgold.zip %%Features: %%Damage: Deletes or moves files. %%Size: none %%See Also: %%Notes: AOL discovered an e-mail message with the AOLGOLD.ZIP file attached. The file purports to be a new front end for AOL, but is actually a trojan that deletes files on your c drive. AOLGOLD Trojan ============== The AOLGOLD Trojan program was recently discovered on America Online (AOL). Notice about the Trojan has been circulated to all America Online subscribers. Notice about the Trojan and a copy of the Trojan program were supplied to CIAC by Doug Bigelow in AOL operations. Apparently, an e-mail message is being circulated that contains an attached archive file named AOLGOLD.ZIP. A description that accompanies the archive describes it as a new and improved interface for the AOL online service. Note that there is no such program as AOLGOLD. Also, simply reading an e-mail message or even downloading an included file will not do damage to your machine. You must run the downloaded file to release the Trojan and let it do damage. If you unzip the archive, you get two files: INSTALL.EXE and README.TXT. The README.TXT file again describes AOLGOLD as a new and improved interface to the AOL online service. The INSTALL.EXE program is a self extracting ZIP archive. When you run the install program, it extracts 18 files onto your hard drive: MACROS.DRV VIDEO.DRV INSTALL.BAT ADRIVE.RPT SUSPEND.DRV ANNOY.COM MACRO.COM SP-NET.COM SP-WIN.COM MEMBRINF.COM DEVICE.COM TEXTMAP.COM HOST.COM REP.COM EMS2EXT.SYS EMS.COM EMS.SYS README.TXT The file list includes another README.TXT file. If you examine the new README.TXT file, it starts out with "Ever wanted the Powers of a Guide" and continues with some crude language. The README.TXT file indicates that the included program is a guide program that can be used to kick other people off of AOL. If you stop at this point and do nothing but examine the unzipped files with the TYPE command, your machine will not be damaged. The following three files contain the Trojan program: MACROS.DRV VIDEO.DRV INSTALL.BAT The rest of the files included in the archive appear to have been grabbed at random to simply fill up the archive and make it look official. The Trojan program is started by running the INSTALL.BAT file. The INSTALL.BAT file is a simple batch file that renames the VIDEO.DRV file to VIRUS.BAT and then runs it. VIDEO.DRV is an amateurish DOS batch file that starts deleting the contents of several critical directories on your C: drive, including: c:\ c:\dos c:\windows c:\windows\system c:\qemm c:\stacker c:\norton It also deletes the contents of several other directories, including those for several online services and games, such as: c:\aol20 c:\prodigy c:\aol25 c:\mmp169 c:\cserve c:\doom c:\wolf3d When the batch file completes, it prints a crude message on the screen and attempts to run a program named DoomDay.EXE. Bugs in the batch file prevent the DOOMDAY.EXE program from running. Other bugs in the file cause it to delete itself if it is run from any drive but the C: drive. The programming style and bugs in the batch file indicates that the Trojan writer appears to have little programming experience. Recovery: --------- **WARNING** Do not copy any files onto your hard disk before trying to recover your hard drive. The files are deleted with the DOS del command, and can be recovered with the DOS undelete command. The files are still on your disk, only the directory entries have been removed. If you copy any new files onto your hard disk, they will likely be written over the deleted files, making it impossible to recover the deleted files. If you have delete protection installed on your system, recovery will be relatively easy. If not, the DOS undelete command can be used, but you will have to supply the first letter of each file name as it is recovered. In many cases, you will probably want to restore the directories by reinstalling them from the original installation disks, but do that last. You must recover any unreplaceable, files first using undelete and then replace any others by copying or reinstalling them from the distribution disks. To recover the system: 1. Boot the system with a clean, locked floppy containing the recovery program for the recovery files you have installed, or the DOS UNDELETE.EXE program if you do not have recovery files installed. 2. Type the VIRUS.BAT file to get a list of the directories the Trojan tried to delete. Ignore any directories don't exist on your machine. 3. Run the recovery program and recover your files. You may have to help it find the recovery files, such as MIRROR, which will be in the root directory. You may have to recover the MIRROR file first and then use it to recover the other files. If you are using only the DOS undelete command, type: undelete directory where directory is the name of the directory to examine. To undelete the files in the dos directory, use: undelete c:\dos The undelete program will present you with a list of deleted files with the first letter replaced with a question mark. Without delete protection, you will have to supply this letter in order to undelete the file. 4. After you have restored as many files as you want or can using the UNDELETE command, replace any others by reinstalling them using the original installation disks. DOOMDAY ========= The DoomDay.exe program is actually hidden in the macros.drv file. when you run it, the Trojan maker program appears. The trojan maker program creates quick basic programs to damage a system. It includes the quickbasic compiler and pklite for compressing the trojans.The programs created by it all hang, as they appear to be missing their end statement.