APSTrojan.qa (aka "Hey, you" Trojan)

The APSTrojan.qa (aka "Hey, you" Trojan)

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)

Last significant update: 14 February 2000

This information can be freely reproduced in any medium, as long as the information is unmodified.

Several AOL users have written us letters similar to the one below:


> Dear Virus Busters:
>
> Could you please email me information on the so called "hey you" virus. I
> received an email from who I thought was my brother, come to find out it
> was  not from him and supposedly sent through the buddy list? I had a few
> problems  for a short time. Not sure if there are any long lasting
> effects from this.
>
> I would appreciate any help with this.
>
> Thank you,

Here is a response my U-M Virus Buster colleague Adam Wilkinson wrote up to deal with this:

This sounds like APSTrojan.qa, which is an AOL Password Stealing Trojan horse (hence the name;) I'll include some removal instruction that should do the trick, although I don't think a fourth grader ought to be trusted in following them. (But then perhaps I'm just feeling my age today, too.)

But first, a couple rules of thumb to pass along, which may help prevent future problems:

NEVER accept unsolicited file attachments, even if they appear to be from someone you know.

Obtain, install, use and keep up to date a reputable anti-virus program.

Also, since the Trojan may have sent the AOL passwords to its maker, we recommend changing the password for all AOL screen names accessed via that computer.

Here are the instructions:

Problem Summary:

System appears slower. Windows can not be shut down or restarted. Anti-virus software identified APSTrojan, APSTrojan.pz or APSTrojan.qa

Resolution Summary:

Disinfection requires three steps:

Removal of Trojan horse programs
Clean up of WIN.INI file
Clean up of Registry

Resolution Long:

To remove this infection, first start the computer in Command Prompt Only mode. Since the Trojan horse prevents the computer from being properly shut down and restarted, it will probably be necessary to use the reset button or power switch to restart the computer. (This is not normally recommended, but are the only options in this situation.) To bring up the boot menu on Windows 98, hold down the left-hand CONTROL key as soon as the machine restarts. For Windows 95, press F8 as soon as you see the text message "Starting Windows 95." If you see the graphical Windows logo screen, restart the computer and try again.

From the Windows start up menu, pick Safe Mode Command Prompt Only. This will give you a DOS (C:\>) prompt.

First, we need to remove each of the files that got installed on the machine. These have been flagged as hidden, system and read-only to make detection and removal more difficult, so we need to reset those flags before the file can be deleted:

  attrib -r -s -h c:\msdos98.exe
  del c:\msdos98.exe

  attrib -r -s -h c:\WINDOWS\uninst~1.exe
  del c:\WINDOWS\uninst~1.exe

  attrib -r -s -h c:\WINDOWS\SYSTEM\mine.exe
  del c:\WINDOWS\SYSTEM\mine.exe

  attrib -r -s -h c:\WINDOWS\SYSTEM\ReadMe.Txt
  del c:\WINDOWS\SYSTEM\ReadMe.Txt

Now we need to clean up the WIN.INI file. This has also been protected by the infection:

  attrib -r -s -h C:\WINDOWS\WIN.INI
  EDIT C:\WINDOWS\WIN.INI

In the WIN.INI file, look for the Run= line in the [Windows] section. Note any existing parameters other than "c:\windows\uninstallms.exe". Place the cursor on that line and hit END to check the end of the line, noting any parameters other than "c:\windows\uninstallms.exe" Remove the extra spaces and "c:\windows\uninstallms.exe" from the line. Now save the file and exit the editor. (ALT-F brings up the file menu, 'S' will save, 'X' will exit.) NOTE: On most systems the spaces and "c:\windows\uninstallms.exe" will be the only elements of the Run= line. You can easily clean the line by placing the cursor to the right of the equals sign, then holding down SHIFT and pressing END. This will select to the end of the line. Pressing DELETE will clear the line.

Now restart the machine by pressing CTRL+ALT+DEL. Because the machine was not properly shut down (we reset it or powered it off, remember?) SCANDISK will probably run. This is expected and normal under the circumstances. Deal with any issues it may find, which will probably be nothing.

We now need to modify the Registry to remove the last vestiges of the infection:

From the Start menu, pick Run. Enter REGEDIT and click OK.
In the Registry Editor, My Computer should be highlighted. If it is not, click on it once to highlight it.
From the Registry menu, choose Export Registry file. Use C:\BACKUP.REG as the file name. Under Export Range, be sure "All" is selected. Click Save.
Once the Registry has been saved, double-click on HKEY_LOCAL_MACHINE
Double-click on Software under HKEY_LOCAL_MACHINE
Double-click on Microsoft under Software
Double-click on Windows under Microsoft
Double-click on CurrentVersion under Windows
Click once on Run (under CurrentVersion) to select it
In the right-hand pane, look for the name "Windows" with the corresponding data"c:\msdos98.exe" Highlight "Windows". If there is more than one "Windows" line, be sure to choose the one with the data value "c:\msdos98.exe"
From the Edit menu, choose Delete. Click Yes when asked to confirm the deletion.
Exit the Registry Editor and restart your system.

For this particular Trojan, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/APSTrojan.qa.html)
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Wednesday, 02-Jan-2002 14:06:24 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 14 February 2000 16:20 EST