Wednesday, March 24, 1999 Published at 17:52 GMT
'Trojan horse' program steals passwords
A free e-mail program called ProMail is stealing users' names and passwords and sending them to an unknown person.
The information allows simple access to the victims' messages.
The recipient is presumably the creator of what is termed a "Trojan horse" virus. A teenager called "David" has claimed responsibility in an e-mail to Ken Williams, who runs Packet Storm Security, a Web security site.
The message was sent from an anonymous address and so cannot be verified.
"I just wanted to increase the public's awareness on the problem of Internet privacy," the "David" character said.
"If a program written by a teenager can be spread SO EASILY over the Net, unchecked, and even be used by the Armed Forces, then something must be wrong.
"But let me assure all you people using ProMail, I did not use, store, sell or do anything with your passwords or other data. And I did not download your mail."
In an e-mail earlier this week, Ken Williams said: "The security implications and severity of the situation are truly astounding."
He believes hundreds of thousands of account names and passwords may have been harvested by ProMail. Some in the Net security community think it is the most widely distributed Trojan ever.
ProMail v1.21 has been widely available through major freeware sites such as shareware.com and simtel.net. It has been made available on at least 114 other sites and it is impossible to know when, even if, it will be removed from all sites.
The virus works by gathering the username, password and server name for the 'POP3' system, which transfers e-mail from the server to the user, and then packages the information up and sends it all off in an e-mail.
Ian Whalley, Senior Programmer with UK anti-virus software company Sophos PLC, told BBC News Online: "POP3 is very prevalent these days - it's in use everywhere."
"On the face of it, private e-mail is the major problem, as corporations tend not to use POP3. But it's very hard to tell as it is very widely used.
"A Trojan horse in this type of application is new. You could in theory disinfect it, but there are plenty of other e-mail clients out there, so it's best just to get rid of ProMail."
Whalley says wiping ProMail from the Web will be extremely hard: "You could trace all the logs back but it would be a nightmare."
ProMail's creator used open source code for the core program, which works very well. He then inserted the Trojan horse.
The program seems to have been made available around 24 February. The problem was first publicised on the Bugtraq news group on 19 March by Aeon Labs and was confirmed by Pine Security Digest.
Aeon tracked where the password-carrying e-mail messages were sent to - a free web-based account. In the messages already there, they found details of e-mail accounts from Microsoft, the US Army and a video games company
Simtel no longer makes ProMail available. It has also given what information it has about the supplier of ProMail to the FBI, US Army Counterintelligence and Interpol.