Virus Profile

Virus Name
APStrojan.qa

Date Added
1/25/00

Virus Characteristics
Note - AVERT has raised the Risk Assessment on this virus for END USERS ONLY to Medium as it has received numerous reports from this section of the user community. At this time there have been no reports of this threat from the CORPORATE COMMUNITY and therefore the AVERT Risk Assessment for this group remains at Low. The McAfee.Com Virus Information Library's description notes the change to Medium, while the McAfee AVERT website's description for this threats remains at Low. An Extra.DAT and Extra.DRV has been posted to the McAfee.Com website for End Users wanting to update. No update is posted to the McAfee AVERT web site.

Note the name change from APSTrojan.pz to APSTrojan.qa

This is a password stealer and Internet worm written in Visual Basic 5 designed to attack America Online software installations to determine the password of user accounts. This trojan will send the account detail to the author of the trojan. In addition, if the victim is logged onto AOL v4.0, it will send itself to AOL screen names listed in your buddylist who are currently logged onto AOL!

This file could have been received by email as an attachment named "mine.zip" (with a size of 77,855 bytes) and with a subject line of "hey you". The message body suggests that the attachment is actually scanned pictures:

--- copy of email forwarded to AOL members ---
hey i finally got my pics scanned..theres like 5 or 6 of them..so just download it and unzip it..and for you people who dont know how to then scroll down..tell me what you think of my pics ok?

if you dont know how to unzip then follow these steps

When you sign off, AOL will automatically unzip the file, unless you have turned this feature off in your download preferences.

If you want to do it manually then
On the My Files menu on the AOL toolbar, click Download Manager.
In the Download Manager window, click Show Files Downloaded.
Select my file and click Decompress
--- end of copy ---


The attachment MINE.ZIP contains two files. The first is MINE.EXE of 216,576 bytes and has an icon which resembles a PKLite self-extracting file however it is not of this type. The second is a file named "README.TXT" and contains simply the text: "Did you like it? Write Back ok?=Þ"

This trojan makes several calls to system DLLs in order to write 4 files to the local system, mark them as hidden, edit the WIN.INI to load via the run line and also edit the registry to load at Windows startup. Also attempts to analyze changes to they system by launching the RegEdit tool are diverted by a stealth monitor by the trojan. The WIN.INI is marked as read-only also in an attempt to prevent removing the file information in the run line.

The following is a list of DLLs which are hooked by this trojan:
C:\WINDOWS\SYSTEM\MSVBVM50.DLL
C:\WINDOWS\SYSTEM\OLEAUT32.DLL
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\MAPI32.DLL
C:\WINDOWS\SYSTEM\TAPI32.DLL
C:\WINDOWS\SYSTEM\RPCRT4.DLL
C:\WINDOWS\SYSTEM\MPR.DLL
C:\WINDOWS\SYSTEM\ODBC32.DLL
C:\WINDOWS\SYSTEM\ODBCINT.DLL
C:\WINDOWS\SYSTEM\VERSION.DLL
C:\WINDOWS\SYSTEM\COMDLG32.DLL
C:\WINDOWS\SYSTEM\MSVCRT.DLL
C:\WINDOWS\SYSTEM\OLE32.DLL
C:\WINDOWS\SYSTEM\SHELL32.DLL
C:\WINDOWS\SYSTEM\COMCTL32.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\WINMM.DLL
C:\WINDOWS\SYSTEM\USER32.DLL
C:\WINDOWS\SYSTEM\GDI32.DLL
C:\WINDOWS\SYSTEM\ADVAPI32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL

The following files are written to the local system as hidden files:
c:\msdos98.exe
c:\WINDOWS\SYSTEM\mine.exe
c:\WINDOWS\SYSTEM\ReadMe.Txt
c:\WINDOWS\uninstallms.exe

All three executables listed above are identical. In order to view the files, you must be able to view hidden files. This option is available by setting this option in the "View|Folder Options|View" menu selection in Windows Explorer. In the section for "hidden files", select "show all files".

The WIN.INI is modified to load from the run line in the "windows" section with the following:

[windows]
run=c:\windows\uninstallms.exe

In some cases, the entry for the WIN.INI is shifted very far to the right, out of visibility. You must scroll to the right to see this entry.

The registry is modified to load at Windows startup with the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Windows="c:\msdos98.exe"

This trojan has a dependency on the file MSVBVM50.DLL and without this it cannot run. This DLL exists on Windows 98 systems but does not exist on Windows 95 by default.

When this trojan is running in memory on a host system, a timer routine monitors the WIN.INI and constantly ensures that the value listed in the RUN= remains modified, and also that the WIN.INI has read-only attributes. Renaming the ATTRIB.EXE program does not have any effect as the attributes are set using API functions.

Removal of this trojan requires some skill getting to reboot the system into "Safe mode". You can invoke safe mode by running the program MSCONFIG.EXE by selecting "START|RUN" and typing in the MSCONFIG. Once you have launched this utility, select the "Advanced" button on the "General" tab and set the option to "Enable Startup Menu". Click on "OK" and to reboot the system, first press CTRL-ALT-DEL to bring up the Task list and then press CTRL-ALT-DEL again to force a reboot. You could also hit the reset key. Starting Windows in safe mode will prevent the loading of the trojan from either the registry or the WIN.INI.

 


Send This Virus Information To A Friend?

Indications Of Infection
Existence of files mentioned above, slowness of the system, attempts to start REGEDIT are diverted, WIN.INI is marked READ-ONLY.

Method Of Infection
Running the trojan either intentionally or accidentally will install using the methods mentioned above.

Removal Instructions
Use specified engine and DAT files for detection. Removal requires rebooting to MS-DOS mode to first remove the file from Windows memory before deleting the files detected as the trojan. Remove references in WIN.INI and/or SYSTEM.INI and registry for final clean-up measures.

 

 


Virus Information
  Discovery Date: 1/18/00
  Origin: AOL Email
  Length: 216,576
  Type: Trojan
  SubType: AOL Password
  Risk Assessment: Medium

Variants
Name Type Sub Type Differences
Unknown

Aliases
APStrojan.qa.worm, TROJ_APS.216576

Related Viruses
Unknown

Related Downloads
None

Related Images
MINE.EXE Trojan Icon
MINE.EXE Trojan Icon

Minimum Dat
4064

Minimum Engine
4.0.25