Virus Profile | |||||||||||||||||||||||
Virus
Name Date
Added Virus
Characteristics Note the name change from APSTrojan.pz to APSTrojan.qa
This is a password stealer and Internet worm written in Visual Basic 5
designed to attack America Online software installations to determine the
password of user accounts. This trojan will send the account detail to the
author of the trojan. In addition, if the victim is logged onto AOL v4.0, it
will send itself to AOL screen names listed in your buddylist who are currently
logged onto AOL!
This file could have been received by email as an attachment named "mine.zip"
(with a size of 77,855 bytes) and with a subject line of "hey you". The message
body suggests that the attachment is actually scanned pictures:
--- copy of email forwarded to AOL members --- if you dont know how to unzip then follow these steps
When you sign off, AOL will automatically unzip the file, unless you have
turned this feature off in your download preferences.
If you want to do it manually then This trojan makes several calls to system DLLs in order to write 4 files to
the local system, mark them as hidden, edit the WIN.INI to load via the run line
and also edit the registry to load at Windows startup. Also attempts to analyze
changes to they system by launching the RegEdit tool are diverted by a stealth
monitor by the trojan. The WIN.INI is marked as read-only also in an attempt to
prevent removing the file information in the run line.
The following is a list of DLLs which are hooked by this
trojan: The following files are written to the local system as hidden files:
All three executables listed above are identical. In order to view the files,
you must be able to view hidden files. This option is available by setting this
option in the "View|Folder Options|View" menu selection in Windows Explorer. In
the section for "hidden files", select "show all files".
The WIN.INI is modified to load from the run line in the "windows" section
with the following:
[windows] In some cases, the entry for the WIN.INI is shifted very far to the right,
out of visibility. You must scroll to the right to see this entry.
The registry is modified to load at Windows startup with the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ This trojan has a dependency on the file MSVBVM50.DLL and without this it
cannot run. This DLL exists on Windows 98 systems but does not exist on Windows
95 by default.
When this trojan is running in memory on a host system, a timer routine
monitors the WIN.INI and constantly ensures that the value listed in the RUN=
remains modified, and also that the WIN.INI has read-only attributes. Renaming
the ATTRIB.EXE program does not have any effect as the attributes are set using
API functions.
Removal of this trojan requires some skill getting to reboot the system into
"Safe mode". You can invoke safe mode by running the program MSCONFIG.EXE by
selecting "START|RUN" and typing in the MSCONFIG. Once you have launched this
utility, select the "Advanced" button on the "General" tab and set the option to
"Enable Startup Menu". Click on "OK" and to reboot the system, first press
CTRL-ALT-DEL to bring up the Task list and then press CTRL-ALT-DEL again to
force a reboot. You could also hit the reset key. Starting Windows in safe mode
will prevent the loading of the trojan from either the registry or the
WIN.INI.
Indications Of
Infection Method Of
Infection Removal
Instructions
Virus
Information
Variants
Aliases Related
Viruses Related
Downloads Related
Images Minimum
Dat Minimum
Engine |