McAfee: Password-Stealing Trojan Resurfaces

Anti-virus company McAfee.com Corp. is warning America Online (AOL) users to be on the
lookout for various incarnations of a password-swiping program that
is making the rounds attached to e-mail messages.

McAfee.com, largely owned by security company Network Associates,
said it has logged an increasing number if such "Trojan" programs -
part of a family labeled "APStrojan" - among AOL users over the
last 30 days. However, AOL says any evidence of an increase may be
a matter of perspective.

The variant McAfee said it is seeing the most comes stowed away in
a Zip archive. When released and executed, the worm-like payload,
written in Microsoft's Visual Basic, attempts to discover account
names and passwords from users of versions 4 and 5 of AOL's
software. It then attempts to forward that information to a
destination outside the AOL network, McAfee said.

Next, the software attempts to reproduce by sending copies of
itself to contacts on the AOL user's "buddy" list.

McAfee.com said variations on APStrojan have been around for nearly
a year, however it said it recorded the increase among AOL users
who visited its online virus-scanning service.

On McAfee's Web site, a count of files found by the online scanning
service to be infected by APStrojan.qa in the last 30 days had
reached 197,000 by late afternoon today, well ahead of any of some
30 other variants of APStrojan. But the file count doesn't mean
197,000 users have been hit by APStrojan.qa, since its attack
generates a number of files for virus-scanning software to clean
up, and users can have multiple e-mail messages on their systems
with the original Trojan payload.

McAfee's numbers say the infected files represented an occurrence
of the Trojan on 0.34 percent of PCs logged in for McAfee.com's
scanning service during the last 30 days.

But is the APStrojan variant - also known as Mine and PWSteal -
multiplying rapidly, or is McAfee's online scanning service simply
getting more popular?

AOL spokesman Andrew Weinstein told Newsbytes that AOL, which has
also been aware of the Trojan for about a year, hasn't noticed an
increase in its occurrence.

AOL fields millions of customer support calls from its users each
week and would have logged any increase in APStrojan variants,
Weinstein said, adding that AOL users who have migrated to version
6 of the service provider's software are already immune from that
particular attack.

APStrojan.qa may arrive as an e-mail attachment with the file name
"mine.zip" and could be about 77,855 bytes, McAfee said. The
subject of the e- mail message frequently says "hey you," and the
text within the message may say: "hey i finally got my pics
scanned...theres like 5 or 6 of them...so just download it and
unzip it..and for you people who dont know how to then scroll
down...tell me what you think of my pics ok?"

The message them tells users how to unzip the archived file, a move
that would make the program ready to run should a user click on the
extracted code.

Users who receive such a message should delete it and the
attachment.

Users whose PCs may have become infected by the virus after
clicking on the attachment can turn to anti-virus software
companies like McAfee or Symantec.

More information on the Trojan is available from the McAfee Web
site here: http://vil.mcafee.com/dispVirus.asp?virus_k=10567.