AOL Password Trojan 

I got my first real virus! In all my years of websurfing, this is the first virus I've gotten outside of work. (ok..not a true virus, but a Trojan Horse)

Somehow, I got this trojan virus that compromises your AOL password.

This does not appear to be a variant of the T-Online Trojan, nor is it a hoax.

A search at Macafee , Dr Solomon, and Norton show none of these files listed. A new trojan?

It replaces the AOL signon screen with this:

The misplaced password field (top left) looks to the average user as simply a not very serious bug. In reality, it captures the keystrokes entered there. In addition, once online with AOL, any password changes  are captured and emailed thusly:

[begin intercepted email]

Subj:    Web Access Confirmation
Date:    6/6/99 10:58:28 PM Eastern Daylight Time
From:    XXX
To:    rnad@n2mail.com
BCC:    qware4019@hotmail.com

[From Change PW Box]
XXX - skinnyd

Welcome, XXX!

(Real logon and psswords blocked out here, but XXX = my real logon, and skinnyd = the password I had just generated)

[end intercepted email]

No confirmation of this email is given, even if you have that AOL feature turned on.

The varied files this creates on your system give this Trojan many ways to recreate itself.

1. The two win.ini entries start the files on boot
2. The registry entries start their files on boot
3. AIM Reminder in the Startup Group
4. The Screen saver entry ensures that even if you delete all the other files, the first time your screensaver runs, BANG, you’re stuck again

All these are designed to run on boot, and completely in the background. Also, the innovative file names would shy a casual PC user away from deleting them. Who in his right mind would suspect COMMAND.EXE? Or AIM Reminder.exe? Or disable a Norton AntiVirus "Reminder"? (the gall of planting a trojan directly in the antivirus folder is especially gutsy)

If any of the folders do not exist, such as C:\America Online 4.0 and C:\Windows\System\Norton AntiVir, it will create those when it copies those files. That slipup is one of the ways I was able to detect ALL the files it creates. I don’t run Norton, nor is my AOL software installed to the default folder.

A new PC, with both of these programs installed at the factory, probably would have them in the default folder. BuddyList.exe and RegistryReminder.exe, would be just two more files mixed in among hundreds of regular program files. You might never notice them.

To clean this, you must boot into DOS,preferably from a clean floppy. If Windows runs, the registry entries will start at least one of these files, and Windows will not allow you to delete it. If any of the 231kb files is allowed to run, it will recreate all the other files, rendering your system compromised once again.

Delete ALL these files and clean the Registry, WIN.INI, and SYSTEM.INI of their bogus entries. This MUST be done all in one session. If the system is allowed to reboot, one or more of these will execute, re-infecting your system.

This was after removing BuddyList.exe. The AIM Reminder.exe file in the Startup group appears to generate this.

This was after removing the entry in the WIN.INI file.

C:\Command.exe 236,544 bytes (231kb)

C:\Windows\System\Winsaver.exe 236,544 bytes (231kb)

C:\America Online 4.0\Buddylist.exe 236,544 bytes (231kb)

C:\Windows\Start Menu\Programs\Startup\AIM Reminder.exe 236,544 bytes (231kb)

C:\Windows\System\NortonAntiVir\RegistryReminder.exe 236,544 bytes (231kb)

C:\Windows\Explore.exe 41,472 bytes (42kb) I think this is the primary file.

WIN.INI alterations:

[windows]

Load= C:\Americ~1.0\BuddyLise.exe

Run=C:\Windows\System\NortonAntiVir\RegistryReminder.exe

SYSTEM.INI alterations:

[boot]

SCRNSAVE.EXE=c:\windows\system\WinSaver.exe

Windows Registry alterations:        

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run

WinProfile "C:\Command.exe     

NetDetect "C:\Windows\EXPLORE.EXE