Trojan.AOL.Buddy(Also known as Penny Tools Trojan)

This is a password stealing trojan. This trojan is installs itself in several different places, making removal difficult. The trojan modifies:

• The Registry's RUN key to launch C:\COMMAND.EXE which comprises the trojan's body.
• The screensaver reference in the SYSTEM.INI (C:\Windows\System\WINSAVER.EXE) so the system is infected when the screensaver runs.
• The WIN.INI by adding to the execution of C:\America Online 4.0\BUDDYLIST.EXE hidden file to LOAD=string with more than eighty spaces in from to hide it.
• The WIN.INI by adding to the execution of C:\Windows\System\NortonAntiVir\REGISTRYREMINDER.EXE hidden fil to RUN=string.
• The startup directory by placing AIM REMINDER.EXE in C:\Windows\StartMenu\Programs\Startup\

The trojan also creates VCLCNTL.DLL in C:\Windows\System\. When Windows starts the trojan also starts (one of the above mentioned steps) and remains active. It sends the user's AOL login and password via email to (qware4019@hotmail.com) or (ha015312@hotmail.com) depending on the trojan version.