Home / malware

PDF

Trojan:W32/Promail

First posted on 23 April 2010.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:W32/Promail.

Explanation :

Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.

Additional DetailsAn application called Promail 1.21 is a trojan. This version was distributed on several shareware sites in March 1999.



When Promail 1.21 is run, it tries to steal the current user's passwords and other information.

Promail is supposed to be a free program to maintain several e-mail accounts belonging to a single user. Promail is written in Delphi and packed with Petite executable file compressor.

;

The copyright belongs to SmartWare Inc. (most likely fake), and the About box states that the program is based on an open source code by Michael Haller.

Mr. Haller has nothing to do with the trojan. He has developed a free program Phoenix Mail program earlier and has made the full source code of it available. Now some malicious person has taken the source code, modified it to include the password stealing routine and is distributing it as Promail.

Promail creates its own accounts (entries) for each e-mail account a user maintains. When a user creates new accounts in Promail he is instructed to enter the following information:
€ Real name € Organization € Reply-to e-mail adderss € Reply-ty real name
Then the user is supposed to enter information about his POP3 and SMTP accounts:

€ POP3 user name € POP3 password € POP3 server name € POP3 port (default: 110). € SMTP server name € SMTP port (default: 25).
Account information is written to ACCOUNT.INI file that is located in a folder that Promail creates for each e-mail account a user maintains. The POP3 password is stored in an encrypted form (with weak crypto).

When a user tries to get e-mail from any of maintained accounts the Promail first e-mails the contents of ACCOUNT.INI files to a free web-based e-mail service provider NetAddress (account: naggamanteh@usa.net). So the person who owns this account (and is supposed to be the author of Promail password stealing trojan), gets all information about users' e-mail accounts on different mail servers.

The Promail also creates an empty file PROMAIL.PML which servers as a flag for the trojan that not all ACCOUNT.INI files have been sent to the author of the trojan.

If you are using or were using Promail, it is HIGHLY recommended that you changed all your passwords because your accounts could be used by trojan author or other hackers for illegal purposes or for spying after you.

Last update 23 April 2010

 

TOP