As these are NOT "viruses" with a few exceptions (Dr Solomon's,
Norton AntiVirus) most antivirus programs will give your system
a clean bill of health if a Trojan is present and active.
Trojan Horses are very common throughout the Internet however
there's been an epidemic of them here on AOL in the last year
or two. I've seen so much non-viral malicious code here on AOL
(I'd estimate that nearly half of the emails one receives
unsolicited with file attachments contain Trojan Horses) that
I've gotten so I can "smell" them between the lines of emails
and message board support postings. Although in such situations
I always HOPE to be found wrong that has yet to happen. :-(
Most Trojans are of the variety called "pishers", password
harvesters designed to retrieve user passwords and other key
data and send it to the source of the program, commonly via
an email sent from the victim without his/her knowledge.
Common Scenarios Under Which Trojans Are Discovered:
More often than not users are tipped off to the presence of a
Trojan Horse by one of the following situations:
(1) Missing File Errors at Startup
As Windows is loading an error message appears indicating that
such and such a file called from either WIN.INI or SYSTEM.INI
cannot be found. Often this is a GOOD sign as it indicates that
the program is no longer succeeding in loading into memory when
the PC is started. Usually this indicates that either the user
has deleted the offending file or that the program has failed to
install properly (while some VERY advanced programming has been
found in some of these applications others are very amateurish
"homemade" software).
(2) A Mysterious Program is Noted in the Close Programs Window
Most users are familiar with the programs that run hidden in the
background at all times on their systems and may note the sudden
apprearance of something new when they have not installed any new
software. In most cases these programs are designed to appear in
the Close Programs window (seen when one taps CTRL+ALT+DEL) using
file names that "look like they belong". Common tipoffs are the
appearance of a SECOND "Explorer" or "Systray" or programs with
legit-looking names such as "Win32Sys" or "Winhelp".
(3) ISP Account Compromised
The worst possible way to find out that one has been compromised
by a Trojan is by finding out that the effort has succeeded and
some jerk has your logon name and password and can access your
account at will. In some cases one may happen to come across an
unfamiliar email address on an outgoing email and find that it
contains the users passwords and other information, or one may
attempt to sign on and be denied access as the account is already
in use by unauthorized persons.
Should You Suspect You Have a Trojan Horse on Your System
Suggestions:
1- Become Informed
Read some info AOL has posted if you are not familiar with
Trojan Horse programs in general so that you are aware of the
possibilities:
2- Check for and remove the Trojan Horse:
Follow these steps:
(A) Check the programs running on your system
Tap CTRL+ALT+DEL
(press and hold the CTRL and ALT keys with your left hand
and tap the DEL key ONCE with your right to bring up the
"Close Programs" list of all running programs)
Look for unrecognizable file names, particularly those with
names that make them "look like they belong".
Some common files that ARE NOT WIN95/98 FILES which
have been found to be Trojan Horses include:
Explore
second Explorer
second Systray
Sys
System
Winhelp
Mshelp
Win
Winsys
Win95
Win32
Win32Sys
Win32SysMan
a blank line
If you see any of the above, select them and click End Task
NOTE: You should see only ONE copy of Explorer and Systray
running, a SECOND listing for either is a common trick with
Trojans.
(B) Check your WIN.INI file
Click Start > Click Run > Type SYSEDIT > Click OK
Choose the WIN.INI file
Look at the lines starting with load= and run=
Place semicolons [;] at the beginning of those two lines:
;load=C:\IBMTOOLS\Aguide.exe C:\Register\REMIND.EXE
;run=C:\IBMAV95\STARTTIM.EXE c:\windows\bob.exe
Click File > Click Save
If you get a message that "changes cannot be saved" or that
WIN.INI has been marked "READ ONLY" do the following:
Click Start > Point to Programs > Click the MS-DOS Prompt
Type ATTRIB -R WIN.INI and tap [ENTER]
Type EXIT and tap [ENTER]
(that's ATTRIB[space][minus sign]R[space]WIN.INI)
Expand both the SYSEDIT and WIN.INI windows to full size
Use the scroll bar at the bottom of the WIN.INI window to
scroll all the way to the right and then scroll down the
file, seeing if you spot a concealed load= or run= line
It is very common for a second run= or load= line to be
hidden from view off to the right, where one would have to
scroll to see it
You may want to also do this:
Bring the WIN.INI File to the front
Click Search
With the mouse cursor at the beginning of the file:
Type .exe and Click Find
Tap your F3 key to scroll through all instances of .EXE
Note anything which obviously does not belong
(C) Check your SYSTEM.INI file
Click Start > Click Run > Type SYSEDIT > Click OK
Bring the SYSTEM.INI file to the front and check the shell=
line under [boot]
A *NORMAL* "shell=" line in Win95 *SHOULD* look like this:
shell=Explorer.exe
A *BAD* shell= line modified by a "pisher" may look like this:
shell=Explorer.exe C:\Windows\Bob.exe
If you FIND such a line edit it so that it appears as simply
shell=Explorer.exe
Click File > Click Save
NOTE: If you find and remove any references in SYSTEM.INI
or WIN.INI be sure to NOTE the exact FILE NAME and PATH of
the actual .EXE file so that you can later delete it (if
indeed it is still present --- often users don't get "can't
find" errors until after they have actually deleted the file).
- Close and Reopen SYSEDIT
- Make sure that your changes were saved.
If they were not:
Click Start > Point to Programs > Click the MS-DOS Prompt
Type ATTRIB -R SYSTEM.INI and tap [ENTER]
Type EXIT and tap [ENTER]
(removes the "read-only" attribute that many Trojans insert
to prevent one from editing system files and removing their
work) Repeat the above editing of the shell= line
(D) Check for the actual file
After removing any lines found above check to see if the file
referenced is still on your system (check in the PATH noted,
ie if a line C:\Windows\Joe.exe is found open the Windows
folder via Explorer and check for a "Joe" or "Joe.exe" file.
If found BEFORE Deleting it Right-Click on it > Click
Properties. Note (write down) the exact TIME and DATES
referenced as the "Created" and "Last Modified" dates.
Delete the file or move it to a diskette
Restart your computer
Tap CTRL+ALT+DEL to make sure that nothing is running that
doesn't belong
Use the ADVANCED tab in FIND to search for files created
on your system at that same date/time and closely examine
all of them
3- Check Outgoing Email and Change Passwords
Another thing I suggest you do is to check your recent outgoing
email (AOL users can do this via the "Sent Mail" tab in their
mailbox as well as in their Personal Filing Cabinet if they have
AOL set to save outgoing email) to confirm that an email was not
sent without your knowledge containing your logon ("screen name")
and password.
To err on the side of caution I suggest changing the
passwords for all screen names anyway.
4- Avoiding Trojan Horses in the Future
ALL users should avoid downloading and running ANY and ALL
files found attached to AOL email unless one personally knows
the sender (and then I advise caution as many users have
innocently forwarded Trojans to friends before realizing what
has occurred).
If you receive unsolicited email you know or suspect to contain
a Trojan Horse FWD it as is to AOL via the screen name TOSFILES
5- More Assistance
(A) AntiVirus software
If you have any problems with the above (or if you perfer a more
"automatic" removal) you can download a free trial version of
either Dr Solomon's AntiVirus or Symantec Norton's AntiVirus,
both of which can detect and remove many common Trojans.
Norton AntiVirus
First of all owners of Aptiva models that shipped with the now-
discontinued IBM AntiVirus product may be able to obtain a free
copy of the full version of NAV 4.08. More details here:
For those who are not eligable for that Symantec has free 30day
trial versions of Norton AntiVirus 5.0 available for download:
Dr Solomon's FindVirus
Dr Solomon's has just been taken over by NAI (the same folks who
took over McAfee and ran it into the ground) and at this point as
NAI *retools* the Solomon's line there are no trial versions
available at the WWW site, however AOL users can still obtain a
free trial copy of version 7.95 here:
(B) Online Resources
Here are two websites that also offer suggestions on detecting
and purging Trojan Horses:
(C) America Online Technical Support
For what it's worth AOL subscribers can also call AOL for
support...they see Trojans ALL DAY LONG (believe me), and
if nothing else most of their techs are well versed in
pisher removal.
1-888-265-8006
(D) If all else fails...
While I'm not able to provide widespread support-by-email
these days if you get in a *real jam* and need help feel
free to email or IM me directly.
Surf Safe! |
