This trojan is 78K and is sent to some AOL users via email with a file named MINE.ZIP; it appears to be compressed pictures. The person sending the trojan may supply instructions to decompress the files so the user is able to look at the "pictures." The zip file contains the file MINE.EXE which installs the trojan to PCs which have the DLLs for Visual Basic installed (Note: the trojan could be renamed to any other file name and still work.). Once installed AOL.PS automatically runs when the PC restarts; and when the user logs onto AOL the trojan records the username and password details and forwards them back to the person who sent the trojan.
When MINE.EXE runs, the trojan creates the following files which are hidden from the user if they are viewed with the Windows default settings:
c:\msdos98.exeThe trojan then edits the WIN.INI file with the line run=c:\windows\uninstallms.exe so the trojan loads when the PC reboots. The trojan also makes certain it is loaded by modifying the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows=c:"msdos98.exe".
Once the trojan runs, it monitors activities on the PC. If the trojan detects Regedit or Notepad are started, it automatically shuts them down; therefore, making it impossible to edit WIN.INI and removing the trojan.