SYNOPSIS:
A programmer known as "General Failure" has released a Windows95/98/NT trojan horse program named "Girl Friend." Girl Friend consists of a client program called "Windll.exe" which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Netbus, Back Orifice and other internet "Remote administration" trojan horses. This program exploits security vulnerabilities in Windows95, Windows98 and Windows NT platforms. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines. This program has just surfaced in the United States. It is NOT widespread at this time but it is expected to be soon.
The server program for the Girl Friend trojan horse can be given any name by the party who places it on the victim's machine, but the file will always revert to a filename of WINDLL.EXE which makes it easy to identify after it has been installed. The server will place itself into the windows folder as WINDLL.EXE regardless of the name of the downloaded server trojan piece.
Privacy Software Corporation's BOClean 2.01 software, designed to detect and defeat trojan horse programs, is fully effective in removing the Girl Friend server regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.
While the server is a completely different design from other trojans,
its behaviors are similar as is the means of exploitation of the victim's
machine. Where this trojan horse is installed, it is capable of doing
serious damage to a machine or the network it's on. Girl Friend will appear
on the task manager's list of running programs.
CAPABILITIES:
The Girl Friend server permits anyone using the Girl Friend "client.exe" client on their end to remotely control the victim's machine. Girl Friend is a risk to all Win32 platforms including Windows95, Windows98 and Windows NT. The Girl Friend trojan in its present incarnation is limited in capabilities but can execute commands from the perpetrator if the perpetrator knows what commands are available. It also permits stealing of passwords from a compromised system.
It can be configured to run on any port but the default version is configured to port 21554 unless changed. Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. We quote from the documentation shipped with Girl Friend below verbatim:
MANUAL REMOVAL OF GIRL FRIEND SERVER:
The Girl Friend server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with a string value of "windll.exe" with data pointing to the file which was installed, which will always be windll.exe.
It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Girl Friend" server being reloaded at which time the file pointed to in the registry can be removed without further risk.
As a result, care should be taken to back up your registry first as
well as your programs and files in the event that removal of the registry
entry results in damage to your system. Use of Privacy Software Corporation's
BOClean 3.01
program will safeguard against this possibility by removing the program
and its registry entries automatically without risk of damage, or the need
to disconnect the infected machine or reboot.
COPYRIGHTED MATERIAL:
Copyright (c) 1998 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com,
email to technology@privsoft.com. Copies of the Girl Friend distribution as
captured by Privacy Software Corporation will only be provided to recognized
security interests and responsible, recognized members of the press with
the technical capability to conduct independent research on this trojan
horse program or in the alternative, we will provide the URL where the
programs can be obtained independently. Copies will NOT be provided by
us to any other parties. Privacy Software Corporation reserves the right
to refuse transmission without further explanation. Under the provisions
of Privacy Software Corporation's customer and website privacy policies,
we cannot divulge email from our customers regarding their experiences
with these trojan horse programs nor can we divulge their identities under
any circumstances.