Mine.exe Virus (APStrojan.pz)
Welcome
. So you've got THE virus. I hated it and you shall come to hate it as well. But you don't have to since I have instructions here for you to get rid of it. If you're good with computers, you'll get rid of it in then next 15 minutes. If you're not, you may struggle with this or even cause harm to your computer. In that case, you may want to call a friend and have them tell you what to do, just tell them to walk you through the steps listed below.What it is.
Virus Name:
APStrojan.pzWhat it does.
This is a password stealer written in Visual Basic 5 designed to attack America Online software installations to determine the password of user accounts. This trojan will send the account detail to the author of the trojan. This file could have been received by email as an attachment, with a subject line of "hey you". The account which distributed the trojan was reported to AOL Terms Of Service team for handling. Also, many people can't restart/shutdown their computers. It always asks you for your password twice when signing on and occasionally freezes AOL making you restart your computer.
The attachment is 216,576 bytes and has an icon which resembles a PKLite self-extracting file however it is not of this type. The file has been widely seen as the name "MINE.EXE".
(Note This trojan has been reported to AVERT by several users of the AOL Internet service giving us reason to believe this trojan has been widely distributed via spam email).
This trojan makes several calls to system DLLs in order to write 4 files to the local system, mark them as hidden, edit the WIN.INI to load via the run line and also edit the registry to load at Windows startup. Also attempts to analyze changes to they system by launching the RegEdit tool are diverted by a stealth monitor by the trojan. The WIN.INI is marked as read-only also in an attempt to prevent removing the file information in the run line. The following is a list of DLLs which are hooked by this trojan:
DO NOT TOUCH/REMOVE THESE FILESStep 1
The following files are written to the local system:
c:\msdos98.exe
c:\WINDOWS\SYSTEM\mine.exe
c:\WINDOWS\SYSTEM\ReadMe.Txt
c:\WINDOWS\uninstallms.exe
All three executables listed above are identical.
Step 2
The WIN.INI is modified to load from the run line in the "windows" section with the following:
<FONT="COURIER"
The registry is modified to load at Windows startup with the following:
<FONT="COURIER"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Windows="c:\msdos98.exe"
Although it is not clear of its purpose, the TXT file written to the Windows\system folder has the following content:
<FONT="COURIER""Did you like it? Write Back ok?=Þ"
This trojan has a dependency on the file MSVBVM50.DLL and without this it cannot run. This DLL exists on Windows 98 systems but does not exist on Windows 95 by default.
NOTE:
Should be in SAFE MODE to delete.
Indications Of Infection
Method Of Infection
Removal Instructions
Virus Information
|
Discovery Date: |
1/18/00 |
|
|
|
Origin: |
AOL |
|
|
Length: |
216,576 |
|
|
Type: |
Trojan |
|
|
SubType: |
AOL Password |
|
|
Risk Assessment: |
Low |
Variants
|
Name |
Type |
Sub Type |
Differences |
|
Several |
Trojan |
AOL |
|
Aliases
Related Viruses
Related Downloads
Minimum Dat (mcafee)
Minimum Engine (mcafee)