McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

APStrojan.ob

This page shows details and results of our analysis on the malware APStrojan.ob

Threat Detail

Malware Type: Trojan

Malware Sub-type: AOL Password

Discovery Date: 1999-03-01

Next Steps:

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

4024 (1999-05-05)

Updated DAT

4638 (2005-11-28)

 Minimum Engine

5.1.00

File Length

236,544

Description Added

1999-07-22

Description Modified

2001-01-22

Malware Proliferation

Characteristics

This trojan works as a password stealer, running in Windows memory monitoring your AOL logon account information and then sends this to an email address. The trojan was written in Delphi and performs the following changes to your system, note that the WIN.INI has a lengthy "load=" line listed below.

Modified C:\WINDOWS\SYSTEM.INI
[boot]
SCRNSAVE.EXE=c:\windows\system\WinSaver.exe
Modified C:\WINDOWS\WIN.INI
[windows]
load= C:\Americ~1.0\BuddyList.exe
run=c:\windows\system\NortonAntiVir\RegistryReminder.exe

New folders
C:\America Online 4.0\
C:\WINDOWS\SYSTEM\NortonAntiVir\

New files
C:\America Online 4.0\BuddyList.exe
C:\WINDOWS\SYSTEM\NortonAntiVir\RegistryReminder.exe
C:\Command.exe
C:\WINDOWS\Start Menu\Programs\StartUp\AIM Reminder.exe
C:\WINDOWS\SYSTEM\WinSaver.exe
C:\WINDOWS\SYSTEM\vclcntl.dll

Task running in memory:
"BuddyList"

Modified Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinProfile"="C:\Command.exe"

Removal Method (Manual):
* Shut down Windows 95/98 and restarting to MS-DOS mode.
* Type in the following DOS commands (follow each line by hitting ENTER)

ATTRIB -H C:\AMERIC~1.0\BUDDYL~1.EXE
DEL C:\AMERIC~1.0\BUDDYL~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE
DEL C:\WINDOWS\SYSTEM\NORTON~1\REGIST~1.EXE

ATTRIB -H C:\COMMAND.EXE
DEL C:\COMMAND.EXE

ATTRIB -H C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE
DEL C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\AIMREM~1.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\WINSAVER.EXE
DEL C:\WINDOWS\SYSTEM\WINSAVER.EXE

ATTRIB -H C:\WINDOWS\SYSTEM\VCLCNTL.DLL
DEL C:\WINDOWS\SYSTEM\VCLCNTL.DLL

* exit and return to Windows by typing EXIT
* ignore error messages about missing files, this is normal
* clean up WIN.INI / SYSTEM.

Symptoms

Existence of files mentioned above, slowness of system, emails in your sent folder to an unrecognized email address with your user name and password detail, running process of "Buddylist" in the task list.

Method of Infection

Running trojan will directly install to system as mentioned above.

Removal

Use current engine and DAT files for detection and removal.

Removal requires rebooting to MS-DOS mode to first remove the file from Windows memory before deleting the files detected as the virus, trojan or Internet worm.

Use the command line scanner to detect and remove or delete manually.

If applicable, remove references in WIN.INI and/or SYSTEM.INI and/or registry for final clean-up measures.

Variants

APStrojan.of
APStrojan.ob.pak.gen

United States - English