F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Promail





NAME:Promail
ALIAS:Trojan.PWS.Promail, PWS.Promail
SIZE:583168

An application called Promail 1.21 is a trojan. This version was distributed on several shareware sites in March 1999.

When Promail 1.21 is run, it tries to steal the current user's passwords and other information.

Promail is supposed to be a free program to maintain several e-mail accounts belonging to a single user. Promail is written in Delphi and packed with Petite executable file compressor.

The copyright belongs to SmartWare Inc. (most likely fake), and the About box states that the program is based on an open source code by Michael Haller. Mr. Haller has nothing to do with the trojan. He has developed a free program Phoenix Mail program earlier and has made the full source code of it available. Now some malicious person has taken the source code, modified it to include the password stealing routine and is distributing it as Promail.

The Promail creates its own accounts (entries) for each e-mail account a user maintains. When a user creates new accounts in Promail he is instructed to enter the following information: 

        User's e-mail address
        Real name
        Organization
        Reply-to e-mail adderss
        Reply-ty real name

Then the user is supposed to enter information about his POP3 and SMTP accounts: 

        POP3 user name
        POP3 password
        POP3 server name
        POP3 port (default: 110).
        SMTP server name
        SMTP port (default: 25).

Account information is written to ACCOUNT.INI file that is located in a folder that Promail creates for each e-mail account a user maintains. The POP3 password is stored in an encrypted form (with weak crypto).

When a user tries to get e-mail from any of maintained accounts the Promail first e-mails the contents of ACCOUNT.INI files to a free web-based e-mail service provider NetAddress (account: naggamanteh@usa.net). So the person who owns this account (and is supposed to be the author of Promail password stealing trojan), gets all information about users' e-mail accounts on different mail servers.

The Promail also creates an empty file PROMAIL.PML which servers as a flag for the trojan that not all ACCOUNT.INI files have been sent to the author of the trojan.

If you are using or were using Promail it is HIGHLY recommended that you changed all your passwords because your accounts could be used by trojan author or other hackers for illegal purposes or for spying after you.