Password-Stealing Virus Hits AOL

James Niccolai, IDG News Service

Members of America Online are being warned to be on the lookout for a Trojan horse virus that can steal their passwords, potentially giving a hacker access to their e-mail and other personal information.

The virus, dubbed APStrojan.qa, emerged January 25 and is the most active in a string of similar viruses plaguing AOL subscribers over the past year, says antivirus software vendor McAfee.com. In the past 30 days, reports of the virus have increased 100 percent, says April Goostree, a virus research manager at McAfee.com.

It wasn't clear exactly how many users have been affected, but the number is "significant," Goostree says. The virus has been rated a medium risk for AOL subscribers, and low to medium risk for corporate users.

A Trojan virus is a malicious program that arrives disguised as a harmless application but carries a nasty payload. The AOL Trojan horse takes the form of an attachment named "mine.zip" and spreads itself through e-mail bearing the subject line "hey you." Text in the body of the message suggests the attachment contains scanned images, McAfee.com representatives say.

The virus tries to steal the account numbers and passwords of AOL subscribers and, if successful, will send them by e-mail to the author of the virus.

Attacks Upon Log-In

When a subscriber logs on to the AOL service, the virus will also try to e-mail itself to all of the contacts listed in that member's Buddy List. That means people who are not AOL members can also receive the virus. Those nonsubscribers are not at risk of having passwords stolen, but the virus will slow the performance of any PC it infects, Goostree says.

However, the capability of the virus to e-mail itself to others occurs only with version 4.0 of AOL's software. Improvements to versions 5.0 and 6.0 prevent the virus from replicating itself, although it can still steal passwords within those versions.

In addition, when a user of AOL version 6.0 is infected, the virus creates a pop-up message urging the user to switch back to version 4.0 of the software, Goostree says.

AOL 4.0 users constitute a "distinct minority" of members, with most using versions 5.0 or 6.0, says Andrew Weinstein, an AOL spokesperson.

Fixes Available

AOL is providing links in its service to information about the virus, as well as to a free " one-click fix" provided by McAfee.com. However, AOL is playing down the significance of the virus. Weinstein says AOL doesn't feel the need to warn its members via e-mail.

"Obviously we can't speak for McAfee, but we haven't seen a significant increase in the number of people affected," Weinstein says.

The virus is written in Visual Basic 5 and first appeared in a slightly different form in January 2000. As often occurs with viruses, hackers have since played with the virus code to create new strains, trying to stay one step ahead of antivirus programs that detect it.

"As we've been tracking it over the past few months we have watched this thing increase in activity," Goostree says. "In the last 30 days we've watched it increase 100 percent, so we said, 'OK, we need to talk to AOL and get this thing wiped out.'"

Word of the virus apparently hasn't reached all corners of AOL. An AOL member in Quebec reports that he called the Internet service provider to ask about the virus and was told by a member of its technical support staff that they did not know about it. They also told him that reports of the virus "may be a rumor," the AOL member says.