AOL Password Stealer 1.0

· Overview ·
· Origins ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Vendor Notes:

 From the doc: 'This is not meant to be a stand-alone trojan. The target computer must already be running a trojan horse. Any trojan horse with decent options should be fine. The trojan must have a file browser and a registry browser. ***THE TARGET MUST BE USING VERSION 7.0 OF AOL.*** 1. Connect with your trojan horse of choice. Open up the file browser and upload the AOL Password Stealer (AOL.exe) to any folder out of view on the target. Execute the uploaded AOL.exe. Delete the uploaded AOL.exe. 2. The target is now set for password retrieval. However, the target must reboot his/her computer before passwords may be retrieved. Use your trojan to reboot the server. Don't worry if AOL is running on the target during restart as it doesn't matter. Note: You could also wait for the target to manually reboot the pc. 3. Assuming the computer has rebooted, the real AOL has been replaced with the password stealer file. Now, if AOL is executed by the target (Which he/she must do anyway to sign back online for you to retrieve the password) he/she will be prompted with a fake error from AOL and asked to type in his/her account name and password (Don't worry, it's not cheesy like this text makes it sound). 4. After the target gives away his/her information, the fake AOL is then replaced with the real one and executed so the target can sign online. The target should never see the fake error again (Unless you run the password stealer from step 1 again). 5. Now that the target has signed online, use your trojan horse to connect and open the registry browser. Now navigate to HKEY_CURRENT_USER\Software\VB and VBA Program SETTINGS\AOL\America online There should be 4 strings: (Default), Load, Password, and Screen Name. Ignore everything but Password and Screen Name. Yup, that's it.'

Alias:

 PWS [McAfee], PWS-AolEk trojan, security risk or a "backdoor" program [F-Prot], Trojan Horse [Panda], Trojan.PSW.AOLPass, Trojan.PSW.AOLPass [Kaspersky], Win32/AOLPass!PWS!Trojan [Computer Associates], Win32/PSW.AOLPass trojan [Eset]

Category:

AOL Pest: Any password stealer, exploit, DoS attack, or ICQ hack aimed at users of AOL. ICQ is an instant messenger service from mirabilis.com, now AOL. ICQ is a favorite service among hackers, and ICQ features are built into many trojans (such as stealing user's passwords, UINs, or notifying the hacker). Users of ICQ are warned ""By using the ICQ service and software... you may be subject to various risks, including... Spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful.""

Password Capture: A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Similar Pests:

 AOL Pest · Password Capture · Trojan

Origins

Date of Origin:

 October, 2002

Operation

Storage Required:
  • AOL Password Stealer 1.0: at least 57 KB
    		•

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove AOL Password Stealer 1.0 from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 March 02, 2005