Trojan horse maps drive, lifts addresses

The Trojan horse e-mail attachment picture.exe now apparently has children, and their intent is perhaps more mysterious.
Written by Bob Sullivan, Contributor

There are at least two versions of picture.exe making their way around the Internet, as well as a third very similar Trojan horse called soft.exe. And these new versions have even more confusing behaviour.

According to a Chinese ISP network manager, picture.exe version 2 roots through computers to gather up a list of every common file on a victim's hard drive, and then it cobbles together every e-mail address from every piece of mail stored on the victim's computer. Then, it tries to ship those off to China. Where in China? To eight e-mail addresses, according to a ISP network administrator in China who consults for the Net providers where picture.exe's files are headed.

Network Associates last week posted a report on picture.exe and updated its McAfee anti-virus software after re-ports of the Trojan horse started making their way around Usenet groups. The company says the version of picture.exe it examined builds a list of .txt and .html files on a user's hard drive, then builds a list of Internet sites pulled from a user's Internet cache. It also attempts to steal America Online usernames and passwords. Network Associates' has written a complete report.

But the network administrator MSNBC spoke to provided a different picture.exe. One text file his version produced included e-mail addresses pulled from every e-mail saved on a user's machine. Apparently, picture.exe does a full-text search of mail files for @ symbols, then builds a file called $4135.dat. It puts everything it finds just before an @ symbol, the name portion of the e-mail, at the top of that text file. The end result is a lengthy list of addresses tailor-made for bulk e-mail -- spamming.

One possible explanation is that this is not a different version of picture.exe but a difference of opinion. Network Associates and the network administrator may have just interpreted the contents of the file differently. The other text file created by the administrator's version of picture.exe. called $2321.dat, is a map (filename and path) of every file with the extensions .txt, .html, .idx, .mdb, .pst, .pab, .db or .pst on the victim's computer. MSNBC was able to reproduce that result.

Why would someone want a detailed map of files on a user's hard drive? It could be used by an outsider to tunnel through your computer once an IP connection is established -- say by the user's visiting an innocent-looking Web page. Such a file list is the key to many Web-based attacks, where hackers need only know the location of a file on your machine in order to copy it or edit it. "A file map like that could be very useful with Back Orifice, though it is by no means necessary to use that to cause problems with BO," said a spokesperson for the hacker group Cult of the Dead Cow identifying himself as Tweety Fish.

The CDC last year created Back Orifice, which is designed to allow outsiders to take control of PCs remotely. "It's possible that the Trojan was designed to be used with BO, but more likely is that it has its own file transfer built in that would let the creators access those files, possibly en masse," Tweety Fish said. "Another very good possibility is that it was supposed to have functionality like that, but it's broken."

But the real intentions of the authors of picture.exe, and why the e-mail gets sent to China, remain a mystery. The Chinese ISP administrator MSNBC contacted offered these additional hints: the eight e-mail addresses check out as legitimate mailboxes, and seven originate in China. The eighth is a hotmail address. Since getting an e-mail in China requires a photo ID, identifying the intended recipients of picture.exe's work is easy for Chinese authorities. But so far, they haven't shown much interest in pursuing the authors. When the Chinese Net administrator complained to the Public Security Bureau about the danger of spamming by the creators of the Trojan horse, he says he was told: "Usually they pay more attention to cases with clear evidence and damage. They wouldn't make any official move until they are sure the evidence is strong enough, the damage is more than some student hackers fooling around."

The Trojan apparently hasn't been sent to Chinese recipients. Just from China to outside China. That's unlikely to raise the interest of government officials. He has traced the original spam message to an ISP in Shenzhen.

Our source in China also reports his version of picture.exe does not appear to attempt to steal AOL passwords. That matches up with common sense: "I don't think someone from China would actually want AOL passwords," he said. "Calling an AOL dial-up from here is about $5 U.S. a minute.

Editorial standards