Data Doctors
Recycle your Computers & Technology with us.

AOL VIRUS ALERT! Password stealing trojan spreading!

Posted By : of Data Doctors on January 27, 2000

Follow us on Facebook   Follow us on Twitter   Follow us on LinkedIn

Let Data Doctors be your personal IT department today

Book an Appointment

AOL users APStrojan.qa virus alert! (1/27/00)

This question was answered on January 27, 2000. Much of the information contained herein may have changed since posting.

Users of America On-Line should be aware of a new password stealing Trojan Horse program that has been released and is seeming to spread via "spam" that was sent to AOL users.

Named the "APStrojan.qa" it mainly affects Windows 98 users but can it can also infect Windows 95 users that have the "MSVBVM50.DLL" file present in their system (This file is not the virus, but is a necessary file for an attack by this Trojan Do not delete this file in an attempt to clean your system as it is vital to the operation of other software programs.)

WHAT DOES THIS TROJAN DO?

This Trojan is a password stealer written in Visual Basic and is designed to attack America Online software installations to steal the username and password of AOL accounts! This Trojan will then send this information to the author of the Trojan This Trojan has been found in a file by the name of "MINE.EXE" and is an attachment included in an e-mail with the subject line of "hey you" The attachment is 216,576 bytes and may appear as a self-extracting archive or zip file, but it is not.

WHAT SHOULD I DO TO PROTECT MYSELF?

As with all virus/trojan horse programs, the best way to combat them is to keep your anti-virus software up-to-date This means updating your virus code (usually FREE) from your anti-virus software companies website at least once a month or immediately after being warned of a new ourbreak that would possibly affect you personally If you do not have a current program, we suggest either McAfee's ViruScan or Norton's Anti-virus You can get info on both of these programs in our software gallery at:

<a href="http://www.support4free.com/softgallery.cfm"><font color="#003399">http://www.support4free.com/softgallery.cfm

</font></a>

In addition, DO NOT OPEN ANY ATTACHMENTS to an e-mail message unless you know exactly what it is, even if you trust the sender If you have any questions about the attached file, don't open it!

If you find that your system has been infected with APStrojan.qa, AFTER removing the trojan, be sure to change the password(s) for your AOL account(s)!

THE TECHNICAL STUFF...

This trojan makes several calls to system DLLs in order to write 4 files to the local system, mark them as hidden, edit the WIN.INI to load via the run line and edit the registry to load when Windows starts Attempts to analyze changes to the system via the "RegEdit" tool are diverted by a stealth monitor by the trojan The WIN.INI is marked as read-only to prevent removing the file information in the run line.

The following is a list of DLLs which are hooked by this trojan:

C:\WINDOWS\SYSTEM\MSVBVM50.DLL

C:\WINDOWS\SYSTEM\MAPI32.DLL

C:\WINDOWS\SYSTEM\WININET.DLL

C:\WINDOWS\SYSTEM\TAPI32.DLL

C:\WINDOWS\SYSTEM\RPCRT4.DLL

C:\WINDOWS\SYSTEM\MPR.DLL

C:\WINDOWS\SYSTEM\ODBC32.DLL

C:\WINDOWS\SYSTEM\ODBCINT.DLL

C:\WINDOWS\SYSTEM\OLEAUT32.DLL

C:\WINDOWS\SYSTEM\OLE32.DLL

C:\WINDOWS\SYSTEM\COMDLG32.DLL

C:\WINDOWS\SYSTEM\MSVCRT.DLL

C:\WINDOWS\SYSTEM\SHELL32.DLL

C:\WINDOWS\SYSTEM\COMCTL32.DLL

C:\WINDOWS\SYSTEM\SHLWAPI.DLL

C:\WINDOWS\SYSTEM\WINMM.DLL

C:\WINDOWS\SYSTEM\USER32.DLL

C:\WINDOWS\SYSTEM\GDI32.DLL

C:\WINDOWS\SYSTEM\ADVAPI32.DLL

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\VERSION.DLL

In addition, the following files are written to the local hard drive:

c:\msdos98.exe

c:\WINDOWS\SYSTEM\mine.exe

c:\WINDOWS\SYSTEM\ReadMe.Txt

c:\WINDOWS\uninstallms.exe

All three executables listed above are identical

The WIN.INI is modified to load from the run line in the "windows" section with the following:

[windows]

run=c:\windows\uninstallms.exe

The registry is modified to load at Windows startup with the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunWindows="c:\msdos98.exe"

The README.TXT file written to the Windows\system folder has the following content:

"Did you like it? Write Back ok?=Þ"

About the author

Posted by of Data Doctors on January 27, 2000

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!

Free Help

Articles & Advice

Video News

Newsletter

Approved Software

Ask a Question
Call the Repair Hotline at

855-328-2362

Newsletter

Sign up for our newsletter and get free tips and tricks to keep your computer running great!

Start by entering your
Videos In the Press
Videos In the Press
Radio Tech Tips
Radio Tech Tips

For non-tech people, find tips from us on a station nearby!

Categories
Virus Alerts

Data Doctors
Newsletter

Subscribe Today

Customer Support Customer Support

Our customers are the most important part of our business and we empower our friendly, trained staff to spoil you. In addition, we have a dedicated Customer Support team standing by to help when needed.

If you're not satisfied, we're not done! We guarantee satisfaction.

365 Day Warranty 365 Day Warranty

We provide a 1 year warranty on new parts and computers we sell. We'll quickly diagnose and replace defective parts used during the original repair. Please keep in mind that this warranty does not cover damage you cause (such as broken screens) or water damage done to your device after the initial repair. Refurbished parts generally carry a 90 day warranty.

Satisfaction Guarantee Satisfaction Guarantee

We've been helping people with technology for nearly 30 years. We were fixing computers when break dancing was cool! We spend time with you at check-out to make sure it's exactly the way you want. Data Doctors sets the gold standard when it comes to customer satisfaction. That's why we've received more awards for customer service and satisfaction than anyone else in the business.

Book Appointment