Virus
Name
APStrojan.qa
Date
Added
1/25/00
Virus
Characteristics Note the name change from APSTrojan.pz to APSTrojan.qa
This is a password stealer and Internet worm written in Visual Basic 5
designed to attack America Online software installations to determine the
password of user accounts. This trojan will send the account detail to the
author of the trojan. In addition, if the victim is logged onto AOL v4.0, it
will send itself to AOL screen names listed in your buddylist who are currently
logged onto AOL!
This file could have been received by email as an attachment named "mine.zip"
(with a size of 77,855 bytes) and with a subject line of "hey you". The message
body suggests that the attachment is actually scanned pictures:
--- copy of email forwarded to AOL members --- if you dont know how to unzip then follow these steps
When you sign off, AOL will automatically unzip the file, unless you have
turned this feature off in your download preferences.
If you want to do it manually then This trojan makes several calls to system DLLs in order to write 4 files to
the local system, mark them as hidden, edit the WIN.INI to load via the run line
and also edit the registry to load at Windows startup. Also attempts to analyze
changes to they system by launching the RegEdit tool are diverted by a stealth
monitor by the trojan. The WIN.INI is marked as read-only also in an attempt to
prevent removing the file information in the run line.
The following is a list of DLLs which are hooked by this
trojan: The following files are written to the local system as hidden files:
All three executables listed above are identical. In order to view the files,
you must be able to view hidden files. This option is available by setting this
option in the "View|Folder Options|View" menu selection in Windows Explorer. In
the section for "hidden files", select "show all files".
The WIN.INI is modified to load from the run line in the "windows" section
with the following:
[windows] In some cases, the entry for the WIN.INI is shifted very far to the right,
out of visibility. You must scroll to the right to see this entry.
The registry is modified to load at Windows startup with the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ This trojan has a dependency on the file MSVBVM50.DLL and without this it
cannot run. This DLL exists on Windows 98 systems but does not exist on Windows
95 by default.
When this trojan is running in memory on a host system, a timer routine
monitors the WIN.INI and constantly ensures that the value listed in the RUN=
remains modified, and also that the WIN.INI has read-only attributes. Renaming
the ATTRIB.EXE program does not have any effect as the attributes are set using
API functions.
Removal of this trojan requires some skill getting to reboot the system into
"Safe mode". You can invoke safe mode by running the program MSCONFIG.EXE by
selecting "START|RUN" and typing in the MSCONFIG. Once you have launched this
utility, select the "Advanced" button on the "General" tab and set the option to
"Enable Startup Menu". Click on "OK" and to reboot the system, first press
CTRL-ALT-DEL to bring up the Task list and then press CTRL-ALT-DEL again to
force a reboot. You could also hit the reset key. Starting Windows in safe mode
will prevent the loading of the trojan from either the registry or the
WIN.INI.
Note - AVERT has raised the Risk Assessment on this virus for END USERS
ONLY to Medium as it has received numerous reports from this section of the user
community. At this time there have been no reports of this threat from the
CORPORATE COMMUNITY and therefore the AVERT Risk Assessment for this group
remains at Low. The McAfee.Com Virus Information Library's description notes the
change to Medium, while the McAfee AVERT website's description for this threats
remains at Low. An Extra.DAT and Extra.DRV has been posted to the McAfee.Com
website for End Users wanting to update. No update is posted to the McAfee AVERT
web site.
hey i finally got my pics
scanned..theres like 5 or 6 of them..so just download it and unzip it..and for
you people who dont know how to then scroll down..tell me what you think of my
pics ok?
On the My Files menu on the AOL
toolbar, click Download Manager.
In the Download Manager window, click Show
Files Downloaded.
Select my file and click Decompress
--- end of copy ---
The attachment MINE.ZIP contains two files. The first is MINE.EXE of
216,576 bytes and has an icon which resembles a PKLite self-extracting file
however it is not of this type. The second is a file named "README.TXT" and
contains simply the text: "Did you like it? Write Back ok?=Þ"
C:\WINDOWS\SYSTEM\MSVBVM50.DLL
C:\WINDOWS\SYSTEM\OLEAUT32.DLL
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\MAPI32.DLL
C:\WINDOWS\SYSTEM\TAPI32.DLL
C:\WINDOWS\SYSTEM\RPCRT4.DLL
C:\WINDOWS\SYSTEM\MPR.DLL
C:\WINDOWS\SYSTEM\ODBC32.DLL
C:\WINDOWS\SYSTEM\ODBCINT.DLL
C:\WINDOWS\SYSTEM\VERSION.DLL
C:\WINDOWS\SYSTEM\COMDLG32.DLL
C:\WINDOWS\SYSTEM\MSVCRT.DLL
C:\WINDOWS\SYSTEM\OLE32.DLL
C:\WINDOWS\SYSTEM\SHELL32.DLL
C:\WINDOWS\SYSTEM\COMCTL32.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\WINMM.DLL
C:\WINDOWS\SYSTEM\USER32.DLL
C:\WINDOWS\SYSTEM\GDI32.DLL
C:\WINDOWS\SYSTEM\ADVAPI32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL
c:\msdos98.exe
c:\WINDOWS\SYSTEM\mine.exe
c:\WINDOWS\SYSTEM\ReadMe.Txt
c:\WINDOWS\uninstallms.exe
run=c:\windows\uninstallms.exe
Windows="c:\msdos98.exe"
Indications Of
Infection
Existence of files mentioned above, slowness of the system, attempts to
start REGEDIT are diverted, WIN.INI is marked READ-ONLY.
Method Of
Infection
Running the trojan either intentionally or accidentally will install
using the methods mentioned above.
Removal
Instructions
Use specified engine and DAT files for detection. Removal requires
rebooting to MS-DOS mode to first remove the file from Windows memory before
deleting the files detected as the trojan. Remove references in WIN.INI and/or
SYSTEM.INI and registry for final clean-up measures.
Virus
Information
| Discovery Date: | 1/18/00 | |
| Origin: | AOL Email | |
| Length: | 216,576 | |
| Type: | Trojan | |
| SubType: | AOL Password | |
| Risk Assessment: | Medium |
Variants
| Name | Type | Sub Type | Differences |
| Unknown |
Aliases
APStrojan.qa.worm, TROJ_APS.216576
Related
Viruses
Unknown
Related
Downloads
None
Related
Images
MINE.EXE Trojan
Icon
Minimum
Dat
4064
Minimum
Engine
4.0.25