AOL Password Trojan information
AOL Password Trojan
I got my first real virus! In all my years of websurfing, this is the first virus I've gotten outside of work. (ok..not a true virus, but a Trojan Horse)
Somehow, I got this trojan virus that compromises your AOL password.
This does not appear to be a variant of the T-Online Trojan, nor is it a hoax.
Infects your system, and allows unauthorized use of your AOL account.
A search at Macafee , Dr Solomon, and Norton show none of these files listed. A new trojan?
It replaces the AOL signon screen with this:
The misplaced password field (top left) looks to the average user as simply a not very serious bug. In reality, it captures the keystrokes entered there. In addition, once online with AOL, any password changes are captured and emailed thusly:
[begin intercepted email]
Subj: Web Access Confirmation
Date: 6/6/99 10:58:28 PM Eastern Daylight Time
[From Change PW Box]
XXX - skinnyd
(Real logon and psswords blocked out here, but XXX = my real logon, and skinnyd = the password I had just generated)
[end intercepted email]
No confirmation of this email is given, even if you have that AOL feature turned on.
The varied files this creates on your system give this Trojan many ways to recreate itself.
All these are designed to run on boot, and completely in the background. Also, the innovative file names would shy a casual PC user away from deleting them. Who in his right mind would suspect COMMAND.EXE? Or AIM Reminder.exe? Or disable a Norton AntiVirus "Reminder"? (the gall of planting a trojan directly in the antivirus folder is especially gutsy)
If any of the folders do not exist, such as C:\America Online 4.0 and C:\Windows\System\Norton AntiVir, it will create those when it copies those files. That slipup is one of the ways I was able to detect ALL the files it creates. I dont run Norton, nor is my AOL software installed to the default folder.
A new PC, with both of these programs installed at the factory, probably would have them in the default folder. BuddyList.exe and RegistryReminder.exe, would be just two more files mixed in among hundreds of regular program files. You might never notice them.
To clean this, you must boot into DOS,preferably from a clean floppy. If Windows runs, the registry entries will start at least one of these files, and Windows will not allow you to delete it. If any of the 231kb files is allowed to run, it will recreate all the other files, rendering your system compromised once again.
Delete ALL these files and clean the Registry, WIN.INI, and SYSTEM.INI of their bogus entries. This MUST be done all in one session. If the system is allowed to reboot, one or more of these will execute, re-infecting your system.
This was after removing BuddyList.exe. The AIM Reminder.exe file in the Startup group appears to generate this.
This was after removing the entry in the WIN.INI file.
C:\Command.exe 236,544 bytes (231kb)
C:\Windows\System\Winsaver.exe 236,544 bytes (231kb)
C:\America Online 4.0\Buddylist.exe 236,544 bytes (231kb)
C:\Windows\Start Menu\Programs\Startup\AIM Reminder.exe 236,544 bytes (231kb)
C:\Windows\System\NortonAntiVir\RegistryReminder.exe 236,544 bytes (231kb)
C:\Windows\Explore.exe 41,472 bytes (42kb) I think this is the primary file.
Windows Registry alterations: