AOL VIRUS ALERT! Password stealing trojan spreading!

Question

AOL users APStrojan.qa virus alert! (1/27/00)

Answer

This question was answered on January 27, 2000. Much of the information contained herein may have changed since posting.

Users of America On-Line should be aware of a new password stealing Trojan Horse program that has been released and is seeming to spread via "spam" that was sent to AOL users.

Named the "APStrojan.qa" it mainly affects Windows 98 users but can it can also infect Windows 95 users that have the "MSVBVM50.DLL" file present in their system (This file is not the virus, but is a necessary file for an attack by this Trojan Do not delete this file in an attempt to clean your system as it is vital to the operation of other software programs.)

WHAT DOES THIS TROJAN DO?

This Trojan is a password stealer written in Visual Basic and is designed to attack America Online software installations to steal the username and password of AOL accounts! This Trojan will then send this information to the author of the Trojan This Trojan has been found in a file by the name of "MINE.EXE" and is an attachment included in an e-mail with the subject line of "hey you" The attachment is 216,576 bytes and may appear as a self-extracting archive or zip file, but it is not.

WHAT SHOULD I DO TO PROTECT MYSELF?

As with all virus/trojan horse programs, the best way to combat them is to keep your anti-virus software up-to-date This means updating your virus code (usually FREE) from your anti-virus software companies website at least once a month or immediately after being warned of a new ourbreak that would possibly affect you personally If you do not have a current program, we suggest either McAfee's ViruScan or Norton's Anti-virus You can get info on both of these programs in our software gallery at:

<a href="http://www.support4free.com/softgallery.cfm"><font color="#003399">http://www.support4free.com/softgallery.cfm

</font></a>

In addition, DO NOT OPEN ANY ATTACHMENTS to an e-mail message unless you know exactly what it is, even if you trust the sender If you have any questions about the attached file, don't open it!

If you find that your system has been infected with APStrojan.qa, AFTER removing the trojan, be sure to change the password(s) for your AOL account(s)!

THE TECHNICAL STUFF...

This trojan makes several calls to system DLLs in order to write 4 files to the local system, mark them as hidden, edit the WIN.INI to load via the run line and edit the registry to load when Windows starts Attempts to analyze changes to the system via the "RegEdit" tool are diverted by a stealth monitor by the trojan The WIN.INI is marked as read-only to prevent removing the file information in the run line.

The following is a list of DLLs which are hooked by this trojan:

C:\WINDOWS\SYSTEM\MSVBVM50.DLL

C:\WINDOWS\SYSTEM\MAPI32.DLL

C:\WINDOWS\SYSTEM\WININET.DLL

C:\WINDOWS\SYSTEM\TAPI32.DLL

C:\WINDOWS\SYSTEM\RPCRT4.DLL

C:\WINDOWS\SYSTEM\MPR.DLL

C:\WINDOWS\SYSTEM\ODBC32.DLL

C:\WINDOWS\SYSTEM\ODBCINT.DLL

C:\WINDOWS\SYSTEM\OLEAUT32.DLL

C:\WINDOWS\SYSTEM\OLE32.DLL

C:\WINDOWS\SYSTEM\COMDLG32.DLL

C:\WINDOWS\SYSTEM\MSVCRT.DLL

C:\WINDOWS\SYSTEM\SHELL32.DLL

C:\WINDOWS\SYSTEM\COMCTL32.DLL

C:\WINDOWS\SYSTEM\SHLWAPI.DLL

C:\WINDOWS\SYSTEM\WINMM.DLL

C:\WINDOWS\SYSTEM\USER32.DLL

C:\WINDOWS\SYSTEM\GDI32.DLL

C:\WINDOWS\SYSTEM\ADVAPI32.DLL

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\VERSION.DLL

In addition, the following files are written to the local hard drive:

c:\msdos98.exe

c:\WINDOWS\SYSTEM\mine.exe

c:\WINDOWS\SYSTEM\ReadMe.Txt

c:\WINDOWS\uninstallms.exe

All three executables listed above are identical

The WIN.INI is modified to load from the run line in the "windows" section with the following:

[windows]

run=c:\windows\uninstallms.exe

The registry is modified to load at Windows startup with the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunWindows="c:\msdos98.exe"

The README.TXT file written to the Windows\system folder has the following content:

"Did you like it? Write Back ok?=Þ"

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on January 27, 2000