Buddy List Trojan Horse

This is a password stealing trojan. This trojan is one of many Trojan Horse programs that target American Online users. These trojans are only active while Windows is loaded; therefore, the user should restart his computer in MS-DOS mode using the Anti-Virus startup disk and run the DOS-based virus scanner. The virus scanner should detect and clean the trojan; if it doesn't, the user will have to manually removed the trojan using the following steps:

The BUDDYLIST.EXE Trojan creates a file in the C:\Windows\System\NortonAntiVirus directory called REGISTRYREMINDER.EXE which loads from WIN.INI and recreates all the other files.

1. Shut Down computer and restart in MS-DOS mode.
2. Type each of the following commands and the prompt and press enter after each one:
   CD\
   ATTRIB -H -S -R COMMAND.EXE
   DEL COMMAND.EXE
   CD\AMERIC~1.0
   ATTRIB -H -S -R BUDDY*.*
   DEL BUDDY~1.EXE
   CD\WINDOWS\SYSTEM
   ATTRIB -H -S -R WINSAVER.EXE
   DEL WINSAVER.EXE
   ATTRIB -H -S -R NORTON~1\*.*
   DELTREE NORTON~1\*.*
   CD\WINDOWS\STARTM~1\PROGRAMS\STARTUP
   ATTRIB -H -S -R AIMREM*.*
   DEL AIMREM~1.EXE
   

   Please note, it you received a "File not Found" message when executing any of the above commands, make certain you typed it correctly and that you are in the proper directory. There are a number of variants to this trojan, it is possible not to have all of the files on your system; therefore, ignore the "File not Found" message and proceed to the next command.

3. Type EXIT and press Enter to restart Windows

Next, you will have to edit the Registry:

1. Click the Start button and then click Run
   
2. Type REGEDIT in the dialog box and then click OK
   
3. The Registry Edior opens. Go to the following sub-key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
4. Highlight Run in the left panel.
   
5. Find the value named WINPROFILE in the right panel.
   
6. Right-click WINPROFILE and select Delete.
   
7. Choose Registry and click Exit to save your changes and close the Registry Editor.

Finally, remove BuddyList from the startup files:

1. Click the Start button and then click Run
   
2. Type SYSEDIT in the dialog box and click OK
   
3. The System Configuration Editor opens. Click the WIN.INI window.
   
4. Find the run= and load= lines.
   
5. Delete references to BUDDYLIST.EXE and REGISTRYREMINDER.EXE/
6. Click on the SYSTEM.INI box.
   
7. Find the SCRNSAVE.EXE= line, under the [boot] section.
   
8. Delete reference to C:\WINDOWS\SYSTEM\WINSAVER.EXE.
   

NOTES:

• The lline can be left as run= and load= with nothing after that. Make certain that all changes are saved before exiting SYSEDIT.
  
• Check AUTOEXEC.BAT and CONFIG.SYS for any references to BUDDYLIST.EXE and REGISTRYREMINDER.EXE. If you find any, deleted them.

Windows can now be restarted. Check WIN.INI and the Registry to make certain the trojan has been removed.

Remember to contact AOL to let them know someone has been using your username(s) and password(s).