Discovered: June 21, 1999
Updated: February 13, 2007 12:54:52 PM
Also Known As: BuddyList Trojan, APStrojan.ob, Trojan.PSW.Noter, TROJ_BUDDY.D, AOL.Trojan.32512, AOL.PWSteal.32512
Type: Trojan Horse


AOL.Infostealer.32512 infects DOS .exe files. This Trojan can spread through intranets, the Internet, or other email.

NOTE : Definitions prior to May 10, 2006 may detect this threat as AOL.PWSteal.32512

Antivirus Protection Dates

  • Initial Rapid Release version June 28, 1999
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version June 28, 1999
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date June 28, 1999

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Motoaki Yamamura

Discovered: June 21, 1999
Updated: February 13, 2007 12:54:52 PM
Also Known As: BuddyList Trojan, APStrojan.ob, Trojan.PSW.Noter, TROJ_BUDDY.D, AOL.Trojan.32512, AOL.PWSteal.32512
Type: Trojan Horse


The AOL.Infostealer.32512 writes 0 bytes over host files. It is a "direct action" Trojan. When an infected program has been launched, AOL.Infostealer.32512 immediately infects other programs. It does not contain a destructive payload. It does not attempt to encrypt itself. The AOL.Infostealer.32512 is not capable of infecting floppy disk or hard disk boot records. It does not hide itself using "stealthing" techniques. The AOL.Infostealer.32512 infects files in a manner that makes disinfection impossible.

NOTE : This is not a virus; it is a Trojan horse program. You must delete this file. This program may delete files or try to get your America Online account information.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Motoaki Yamamura

Discovered: June 21, 1999
Updated: February 13, 2007 12:54:52 PM
Also Known As: BuddyList Trojan, APStrojan.ob, Trojan.PSW.Noter, TROJ_BUDDY.D, AOL.Trojan.32512, AOL.PWSteal.32512
Type: Trojan Horse


The easiest way to remove this Trojan is to download the Fix Buddylist tool .

If the tool does not fix the problem, or if you do not currently have Internet access, you must remove it manually. There is more than one way to do this. In most cases it can be removed in Safe Mode. Please see Solution 1 for instructions on how to do this. If this does not resolve the problem, if you are not able to boot to Safe Mode after following the instructions, or if you prefer to work in MS-DOS mode, then follow the steps in Solution 2 .

NOTE: The procedure described in this document will remove most variants of this Trojan. If, after following these instructions, NAV still detects files infected with the AOL.Trojan32512 , but NAV cannot delete or quarantine the infected files when commanded to do so, see the document Cannot delete or quarantine files infected with Infostealer.Trojan after removing the Infostealer.Trojan or the AOL.Infostealer.32512 Trojan

Solution 1
To remove this Trojan, most of the steps are performed in Safe Mode. Please follow, the instructions in each section in the order they are presented.

Enable show all files
Follow these steps to make sure that Windows is set to show all files:

  1. Start Windows Explorer.
  2. Click the View menu, and click Options or Folder options.
  3. Click the View tab, and uncheck "Hide file extensions for known file types" if it is checked.
  4. Click "Show all files," and then click OK.
    Restart the computer in MS-DOS mode
    1. Click Start, and click Shut Down.
    2. Click Restart in MS-DOS mode and then click OK. Your computer will now restart in MS-DOS mode You may see messages referring to your CD-ROM or sound card. After restarting, a command prompt appears. The command prompt may appear similar to the following:

      C:\>

    Delete files
    At the command prompt, type the following commands, pressing Enter after each one:

    NOTE: If you installed Windows in a location other than C:\Windows, then please substitute the correct path when typing the second line.

    c:
    cd \windows\system
    attrib -s -h -r winsaver.exe
    del winsaver.exe

    Start Windows in Safe Mode
    To start Windows in Safe Mode, type the following, and then press Enter:

    win /d:m

    NOTE: This will take longer than usual. The Windows desktop will look different, and you will see a message that Windows is running in Safe Mode. If this is not the case, skip to Solution 2 .

    Find and delete files
    Follow these steps to locate and delete the files that were placed on your hard disk by the Trojan:
    1. Click Start, point to Find, and click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the Named box, type (or copy and paste) the following file names:

      command.exe buddylist.exe registryreminder.exe aimrem*.*
    4. Click Find Now.

      CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
    5. In the results pane, select each displayed file, press Delete, and then click Yes to confirm.
    6. Close the Find Files or Folders window.
    7. Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.

    Edit system files
    Please follow these steps to remove changes that were made to two Windows files:
    1. Click Start, and click Run.
    2. Type the following command, and then press Enter to open the System Configuration Editor.

      sysedit
    3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.

      CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines is for programs that you normally use, we suggest that you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semicolon in front of the line (in the first character position), for example:

      ; run=accounts.exe
    4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
    5. Position the cursor immediately to the right of the equal (=) sign.
    6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
    7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
    8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
    9. Click the title bar of the System.ini window, and locate [boot] section; it is usually located near the top of the file.
    10. Within the [boot] section, look for the following line:

      scrnsave.exe=c:\windows\system\winsaver.exe
    11. Position the cursor immediately to the right of the equal sign.
    12. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
    13. Close the System.ini window, and click Yes when you are prompted whether to save the changes.

    Remove an entry from the registry

    CAUTION : We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document, How to back up the Windows registry , before proceeding.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to and select the following key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    4. Look for the following String value in the right pane:

      Winprofile "C:\command.exe"
    5. If it exists, select it, press Delete, and then click Yes to confirm.
    6. Exit the Registry Editor.

    Restart the computer
    The Trojan is now removed from your system. Please shut down the computer, turn off the power, and wait 30 seconds before restarting.

    CAUTION: Because your password could have been compromised, we strongly recommend that you call AOL customer service and change the passwords for all AOL screen names used on this computer before you log back on.

    For additional information on viruses, Trojans, and how to practice safe computing, please see the document What is a virus?

    If you have tried Solution 1 , and after restarting, you still experience the same problems, please go on to Solution 2 .

    Solution 2
    To remove this Trojan, most of the steps are performed at the DOS command prompt. Please follow the instructions in each section in the order that they are presented.

    Restart the computer in MS-DOS mode
    1. Click Start, and click Shut Down.
    2. Click "Restart in MS-DOS mode," and then click OK. Your computer will now restart in MS-DOS mode You may see messages referring to your CD-ROM or sound card. After restarting, a command prompt appears. The command prompt will look similar to the following:

      C:\>

    Delete files
    1. At the command prompt, type the following commands, pressing Enter after each one:

      NOTE: If you installed Windows in a location other than C:\Windows, please substitute the correct path when typing lines that refer to the \Windows folder.

      cd \
      attrib -h -s -r command.exe
      del command.exe
      cd \americ~1.0
      attrib -h -s -r buddyl*.*
      del buddyL~1.exe
      cd \windows\system
      attrib -h -s -r winsaver.exe
      del winsaver.exe
      attrib -h -s -r norton~1\*.*
      deltree norton~1\*.*
      cd \windows\startm~1\programs\startup
      attrib -h -s -r aimrem*.*
      del aimrem~1.exe

      NOTE: If you see the message "File not found" when executing any of the these commands, make sure that you have typed the command exactly as shown. Due to the number of variants of this Trojan, not all of these files will have been placed on the system by the Trojan. If you are sure that you have typed the command correctly, ignore the "File not found" error message and proceed to the next command.
    2. Type exit and then press Enter to restart Windows.
    Edit system files
    Follow these steps to remove changes that were made to two Windows files:
    1. Click Start, and click Run.
    2. Type the following command, and then press Enter to open the System Configuration Editor.

      sysedit
    3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.

      CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines are for programs that you normally use, we suggest you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semicolon in front of the line (in the first character position), for example:

      ; run=accounts.exe
    4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
    5. Position the cursor immediately to the right of the equal (=) sign.
    6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
    7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
    8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
    9. Click the title bar of the System.ini window, and then locate [boot] section; it is usually located near the top of the file.
    10. Within the [boot] section, look for the following line:

      scrnsave.exe=c:\windows\system\winsaver.exe
    11. Position the cursor immediately to the right of the equal sign.
    12. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
    13. Close the System.ini window, and click Yes when you are prompted whether to save the changes.

    Remove an entry from the registry

    CAUTION : We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and click OK. The Registry Editor opens.
    3. Navigate to the following key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    4. Look for the following String value in the right pane:

      Winprofile "C:\command.exe"
    5. If it exists, select it, press Delete, and then click Yes to confirm.
    6. Exit the Registry editor.

    The Trojan is now removed from your system. Restart the computer.

    CAUTION: Because your password could have been compromised, we strongly recommend that you call AOL customer service and change the passwords for all AOL screen names used on this computer before you log back on.

    Writeup By: Motoaki Yamamura