Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical promail shareware is a trojan.

  • From: Paul Howell
  • Date: Thu Mar 25 07:51:22 1999 
A shareware program called Promail is a trojan available at CNet's 
shareware.com and Simtel.Net, is a trojan which captures passwords.

Details on this are at http://www.europe.datafellows.com/v-descs/promail.htm

< paul


NAME:
      Promail
 ALIAS:
      Trojan.PWS.Promail, PWS.Promail
 SIZE:
      583168

An application called Promail 1.21 is a trojan. This version was distributed 
on several shareware sites in March 1999. 

When Promail 1.21 is run, it tries to steal the current user's passwords and 
other information. 

Promail is supposed to be a free program to maintain several e-mail accounts
belonging to a single user. Promail is written in Delphi and packed with Petite
executable file compressor. 

The copyright belongs to SmartWare Inc. (most likely fake), and the About box
states that the program is based on an open source code by Michael Haller. Mr.
Haller has nothing to do with the trojan. He has developed a free program 
Phoenix Mail program earlier and has made the full source code of it available.
Now some malicious person has taken the source code, modified it to include the
password stealing routine and is distributing it as Promail. 

The Promail creates its own accounts (entries) for each e-mail account a user
maintains. When a user creates new accounts in Promail he is instructed to 
enter the following information: 

        User's e-mail address 
        Real name 
        Organization 
        Reply-to e-mail adderss 
        Reply-ty real name 

Then the user is supposed to enter information about his POP3 and SMTP
accounts: 

        POP3 user name 
        POP3 password 
        POP3 server name 
        POP3 port (default: 110). 
        SMTP server name 
        SMTP port (default: 25). 

Account information is written to ACCOUNT.INI file that is located in a folder 
that Promail creates for each e-mail account a user maintains. The POP3 
password is stored in an encrypted form (with weak crypto). 

When a user tries to get e-mail from any of maintained accounts the Promail 
first e-mails the contents of ACCOUNT.INI files to a free web-based e-mail 
service provider NetAddress (account: naggamanteh@usa.net). So the person who 
owns this account (and is supposed to be the author of Promail password 
stealing trojan), gets all information about users' e-mail accounts on 
different mail servers. 

The Promail also creates an empty file PROMAIL.PML which servers as a flag 
for the trojan that not all ACCOUNT.INI files have been sent to the author of 
the trojan. 

If you are using or were using Promail it is HIGHLY recommended that you changed
all your passwords because your accounts could be used by trojan author or other
hackers for illegal purposes or for spying after you.


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.