Home / malwarePDF  

AOL4FREE


First posted on 01 January 2004.
Source: SecurityHome

Aliases :

There are no other names known for AOL4FREE.

Explanation :

The aol4free hoax message was spread in e-mail in early April, 1997. The A4F-Spoof trojan horse program was spread in the middle of April, 1997.

The original hoax message looked like this:


Anyone who recieves this must send it to as many people as you can.
It is essential that this problem be reconciled as soon as possible.


A few hours ago, I opened an E-mail that had the subject heading of
aol4free.com.


Within seconds of opening it, a window appeared and began to display
my files that were being deleted. I immediately shut down my
computer, but it was too late. This virus wiped me out.


It ate the Anti-Virus Software that comes with the Windows '95
Program along with F-Prot AVS. Neither was able to detect it. Please
be careful and send this to as many people as possible, so maybe
this new virus can be eliminated.

The are some variants of this hoax, which warn of messages with subjects like "CONGRATULATIONS! YOU ARE A WINNER!", "AOL 4 FREE - GET AOL FOR FREE" or senders named "MATTHEW27" or "VPVVPPVVP".

There also exists a program for Macintosh machines called aol4free, but the versions we've seen did not delete files. This program was written to give people free access to the AOL (America Online) service. The filename of this program is not aol4free.com.

The original hoax message was widespread during the first and second weeks of April, 1997. On 16th of April, we received a copy of a simple trojan horse, which attempts to execute the following commands on your machine:
C:
CD\
DELTREE /y *.*

On most current PC machines, this will delete all files on your drive C:.

This is an obvious copycat attempt. Someone has read the original hoax warning, seen the messages that announce the warning as a hoax and then written a new trojan and named it AOL4FREE.COM - to confuse things further. To simplify things, we named the new trojan A4F-Spoof - just like the copycat virus named after the Good Times hoax is detected as GT-Spoof. Do note that some programs are detecting this trojan still as AOL4FREE trojan, though.

The A4F-Spoof trojan has been sent to several people via e-mail. If you receive such a file, do not execute it. Instead, send the original message with full headers to our sample submission address for further analysis. We're trying to catch this criminal.

In general, you should never execute programs received from unknown sources.

As A4F-Spoof is a totally new trojan horse (it does not spread so it's not a virus), it will not be detected by current antivirus programs. If you would like to scan for it with F-Secure anti-virus products, you can add the following user-defined pattern to detect it:
CE A4F-Spoof Trojan
2F79202A2E2A0D00FFFFCD04054543484F4F594F

As A4F-Spoof is a trojan, it can not be disinfected, only deleted.

As far as we know, the A4F-Spoof trojan horse is not widespread. It has been e-mailed as an attachment to several people, but it does not spread by itself. This trojan can not be considered a serious threat and should cause no widespread concern.

Last update 01 January 2004

 

TOP