AOL.Infostealer.32512

SUMMARY

AOL.Infostealer.32512 infects DOS .exe files. This Trojan can spread through intranets, the Internet, or other email.

NOTE : Definitions prior to May 10, 2006 may detect this threat as AOL.PWSteal.32512

Protection

• Virus Definitions (LiveUpdate™ Weekly) June 28, 1999
• Virus Definitions (Intelligent Updater) June 28, 1999

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: More than 1000
• Number of Sites: More than 10
• Geographical Distribution: High
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Modifies Files: Writes 0 bytes over host files
• Compromises Security Settings: Attempts to retreive AOL access information.

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

The AOL.Infostealer.32512 writes 0 bytes over host files. It is a "direct action" Trojan. When an infected program has been launched, AOL.Infostealer.32512 immediately infects other programs. It does not contain a destructive payload. It does not attempt to encrypt itself. The AOL.Infostealer.32512 is not capable of infecting floppy disk or hard disk boot records. It does not hide itself using "stealthing" techniques. The AOL.Infostealer.32512 infects files in a manner that makes disinfection impossible.

NOTE: This is not a virus; it is a Trojan horse program. You must delete this file. This program may delete files or try to get your America Online account information.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

The easiest way to remove this Trojan is to download the Fix Buddylist tool.

If the tool does not fix the problem, or if you do not currently have Internet access, you must remove it manually. There is more than one way to do this. In most cases it can be removed in Safe Mode. Please see Solution 1 for instructions on how to do this. If this does not resolve the problem, if you are not able to boot to Safe Mode after following the instructions, or if you prefer to work in MS-DOS mode, then follow the steps in Solution 2.

NOTE: The procedure described in this document will remove most variants of this Trojan. If, after following these instructions, NAV still detects files infected with the AOL.Trojan32512 , but NAV cannot delete or quarantine the infected files when commanded to do so, see the document Cannot delete or quarantine files infected with Infostealer.Trojan after removing the Infostealer.Trojan or the AOL.Infostealer.32512 Trojan

Solution 1
To remove this Trojan, most of the steps are performed in Safe Mode. Please follow, the instructions in each section in the order they are presented.

Enable show all files
Follow these steps to make sure that Windows is set to show all files:

1. Start Windows Explorer.
2. Click the View menu, and click Options or Folder options.
3. Click the View tab, and uncheck "Hide file extensions for known file types" if it is checked.
4. Click "Show all files," and then click OK.

Restart the computer in MS-DOS mode

1. Click Start, and click Shut Down.
2. Click Restart in MS-DOS mode and then click OK. Your computer will now restart in MS-DOS mode You may see messages referring to your CD-ROM or sound card. After restarting, a command prompt appears. The command prompt may appear similar to the following:
   
   C:>

Delete files
At the command prompt, type the following commands, pressing Enter after each one:

NOTE: If you installed Windows in a location other than C:Windows, then please substitute the correct path when typing the second line.

c:
cd windowssystem
attrib -s -h -r winsaver.exe
del winsaver.exe

Start Windows in Safe Mode
To start Windows in Safe Mode, type the following, and then press Enter:

win /d:m

NOTE: This will take longer than usual. The Windows desktop will look different, and you will see a message that Windows is running in Safe Mode. If this is not the case, skip to Solution 2.

Find and delete files
Follow these steps to locate and delete the files that were placed on your hard disk by the Trojan:

1. Click Start, point to Find, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the Named box, type (or copy and paste) the following file names:
   
   command.exe buddylist.exe registryreminder.exe aimrem*.*
   
4. Click Find Now.
   
   CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
   
5. In the results pane, select each displayed file, press Delete, and then click Yes to confirm.
6. Close the Find Files or Folders window.
7. Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.

Edit system files
Please follow these steps to remove changes that were made to two Windows files:

1. Click Start, and click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
   
   sysedit
   
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
   
   CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines is for programs that you normally use, we suggest that you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semicolon in front of the line (in the first character position), for example:
   
   ; run=accounts.exe
   
4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
5. Position the cursor immediately to the right of the equal (=) sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
9. Click the title bar of the System.ini window, and locate [boot] section; it is usually located near the top of the file.
10. Within the [boot] section, look for the following line:
    
    scrnsave.exe=c:windowssystemwinsaver.exe
    
11. Position the cursor immediately to the right of the equal sign.
12. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
13. Close the System.ini window, and click Yes when you are prompted whether to save the changes.

Remove an entry from the registry

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document, How to back up the Windows registry, before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
   
4. Look for the following String value in the right pane:
   
   Winprofile "C:command.exe"
   
5. If it exists, select it, press Delete, and then click Yes to confirm.
6. Exit the Registry Editor.

Restart the computer
The Trojan is now removed from your system. Please shut down the computer, turn off the power, and wait 30 seconds before restarting.

CAUTION: Because your password could have been compromised, we strongly recommend that you call AOL customer service and change the passwords for all AOL screen names used on this computer before you log back on.

For additional information on viruses, Trojans, and how to practice safe computing, please see the document What is a virus?

If you have tried Solution 1, and after restarting, you still experience the same problems, please go on to Solution 2.

Solution 2
To remove this Trojan, most of the steps are performed at the DOS command prompt. Please follow the instructions in each section in the order that they are presented.

Restart the computer in MS-DOS mode

1. Click Start, and click Shut Down.
2. Click "Restart in MS-DOS mode," and then click OK. Your computer will now restart in MS-DOS mode You may see messages referring to your CD-ROM or sound card. After restarting, a command prompt appears. The command prompt will look similar to the following:
   
   C:>

Delete files

1. At the command prompt, type the following commands, pressing Enter after each one:
   
   NOTE: If you installed Windows in a location other than C:Windows, please substitute the correct path when typing lines that refer to the Windows folder.
   
   cd
   attrib -h -s -r command.exe
   del command.exe
   cd americ~1.0
   attrib -h -s -r buddyl*.*
   del buddyL~1.exe
   cd windowssystem
   attrib -h -s -r winsaver.exe
   del winsaver.exe
   attrib -h -s -r norton~1*.*
   deltree norton~1*.*
   cd windowsstartm~1programsstartup
   attrib -h -s -r aimrem*.*
   del aimrem~1.exe
   
   NOTE: If you see the message "File not found" when executing any of the these commands, make sure that you have typed the command exactly as shown. Due to the number of variants of this Trojan, not all of these files will have been placed on the system by the Trojan. If you are sure that you have typed the command correctly, ignore the "File not found" error message and proceed to the next command.
   
2. Type exit and then press Enter to restart Windows.
   

Edit system files
Follow these steps to remove changes that were made to two Windows files:

1. Click Start, and click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
   
   sysedit
   
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
   
   CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines are for programs that you normally use, we suggest you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semicolon in front of the line (in the first character position), for example:
   
   ; run=accounts.exe
   
4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
5. Position the cursor immediately to the right of the equal (=) sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
9. Click the title bar of the System.ini window, and then locate [boot] section; it is usually located near the top of the file.
10. Within the [boot] section, look for the following line:
    
    scrnsave.exe=c:windowssystemwinsaver.exe
    
11. Position the cursor immediately to the right of the equal sign.
12. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
13. Close the System.ini window, and click Yes when you are prompted whether to save the changes.

Remove an entry from the registry

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
   
4. Look for the following String value in the right pane:
   
   Winprofile "C:command.exe"
   
5. If it exists, select it, press Delete, and then click Yes to confirm.
6. Exit the Registry editor.

The Trojan is now removed from your system. Restart the computer.

CAUTION: Because your password could have been compromised, we strongly recommend that you call AOL customer service and change the passwords for all AOL screen names used on this computer before you log back on.