COMMAND

    ProMail

SYSTEMS AFFECTED

    ProMail v1.21

PROBLEM

    ProMail  v1.21,  an  advanced  freeware  mail  program for Windows
    95/98, is a trojan.  It has been spread through several  worldwide
    distribution networks  (SimTel.net, Shareware.com  and others)  as
    proml121.zip.  Upon discovering - through LAN sniffing - that  the
    program would attempt  to connect to  SMTP instead of  POP3 when a
    regular  mail  check  was  performed,  we  reverse-engineered  the
    software.   The  executable,  which  appears  to have been created
    with  Borland  Delphi,  has  been  packed with Petite (a shareware
    Win32-EXE compressor) and then "hexed" to make disassembly harder.
    ProMail  v1.21  supports  multiple  mailboxes;  every  time  a new
    mailbox is created, an "ini" file containing the users full  name,
    passwords, email addresses, servers and more is generated.   Prior
    to doing  any other  action, the  program performs  a check  for a
    valid network connection which,  if found, allows for  the sending
    of ALL of the personal user data, including the user's password in
    encrypted  format,  to  an  account  on  NetAddress - a free email
    provider.   Apart  from  this  "feature",  the  software  is 100 %
    functional and very well done.

    After disassembled  and analyzed  the whole  executable, the  only
    thing it appears to  do as a trojan  is to send the  accounts data
    entered by the user: full name, organization, email address,  user
    name, password (encrypted), smtp and pop3 servers, etc. and  since
    promail supports multiple accounts, each newly created account  is
    sent.  The data for each account is contained in a text file which
    is used  to initialize  promail at  run-time.   The same text file
    is  used  as  body  of  the  email  which  is  sent  to the author
    (supposedly) of the program.  It appears that all emails are  sent
    with same  subject line:  "kirio".   The program  also creates the
    file promail.pml in its directory.   It's a zero length file  used
    as permanent  flag to  "remember" to  the trojan  that one or more
    accounts data could not be sent in the last session (for  example,
    when accounts are created off-line, or when not followed by a mail
    check in the same session).

SOLUTION

    Don't trust everything you download from net.  Use known products,
    but don't trus them neither.  Don't use net :-)