Virus Profile: APStrojan.qa@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/18/2000
Date Added: 1/25/2000
Origin: AOL Email
Length: 216,576
Type: Trojan
Subtype: AOL Password
DAT Required: 4064
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Existence of files mentioned above, slowness of the system, attempts to start REGEDIT are diverted, WIN.INI is marked READ-ONLY.

Methods of Infection

Running the trojan either intentionally or accidentally will install using the methods mentioned above.

Aliases

MINE.EXE, PWSteal.Trojan (NAV), Troj/Mine (Sophos), TROJ_APS.216576 (Trend), Trojan.AOL.Cool (AVP), Trojan.PS.AOL.21657 (Panda), Uninstallms.exe, W95/Trojan.Cool (F-Prot)

Related Images

MINE.EXE Trojan Icon
MINE.EXE Trojan Icon
   

Virus Characteristics

This is a password stealer and Internet worm written in Visual Basic 5 designed to attack America Online software installations to determine the password of user accounts. This trojan will send the account detail to the author of the trojan. In addition, if the victim is logged onto AOL v4.0, it will send itself to AOL screen names listed in your buddylist who are currently logged onto AOL!

This file could have been received by email as an attachment named "mine.zip" (with a size of 77,855 bytes) and with a subject line of "hey you". The message body suggests that the attachment is actually scanned pictures:

--- copy of email forwarded to AOL members ---
hey i finally got my pics scanned..theres like 5 or 6 of them..so just download it and unzip it..and for you people who dont know how to then scroll down..tell me what you think of my pics ok?

if you dont know how to unzip then follow these steps

When you sign off, AOL will automatically unzip the file, unless you have turned this feature off in your download preferences.

If you want to do it manually then On the My Files menu on the AOL toolbar, click Download Manager. In the Download Manager window, click Show Files Downloaded. Select my file and click Decompress

Variants

Variants information
Virus Name Type Subtype Differences
APStrojan.gen18b Trojan AOL Password Minor differences; file names include some of the following:
WINPFC.EXE (397312)
POKEMON.EXE (266240)
PKG80B5.EXE (93696)
JPG.EXE (473088)
PKG3B0.EXE (93696)
MY_NEW_P.EXE (118784)
FIX.EXE
APStrojan.gen18c Trojan AOL Password Minor differences; file names include some of the following:

BOUNCE.EXE (954368)
PUMA.EXE (324096)
AIY2K.EXE (954368)
OFFICE.EXE (954368)
AOL32.EXE (27136)
MAILTO~1.EXE (160768)
MYPICBMP.EXE (260608)
PUNTTEK3.EXE (89087)
MYPICVIE.TRJ (56832)
WINSPY.EXE (126976)
KING.EXE (178613)
   
1. Restart your computer. This worm will block you from using the shut down command, so turn off your computer, and turn it back on again. When you see the message "Starting Windows 95..." Press F8, then choose "Safe mode command prompt only". Or boot from your bootable emergency floppy.

2. At the DOS prompt, type the following commands, pressing enter after each one: 

C:
ATTRIB -H MSDOS98.EXE
DEL MSDOS98.EXE
CD WINDOWS
ATTRIB -R WIN.INI
ATTRIB -H UNINST~1.EXE
DEL UNINST~1.EXE
CD SYSTEM
ATTRIB -H MINE.EXE
DEL MINE.EXE
3. Restart your computer. You'll get a message saying uninstallms.exe could not be found. Ignore it.

4. Click Start, then Run, then type c:\windows\win.ini(substitute your Windows folder if different) in the text box, then click OK. At the line starting with run=, delete everything after the run=. Close Notepad.

5. Click Start, then Run, then type regedit in the text box, then click OK. Click HKLM, then Software, then Microsoft, then Windows, then CurrentVersion, then Run. Highlight the part that says "Windows" "c:\msdos98.exe" and press delete. Answer yes when it asks are you sure. Close regedit.