X

Trojan horse steals AOL passwords, URLs

A new email attachment making its way around the spam circuit is swiping recipients' user names and passwords and sending them to a Chinese email address.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
A new email attachment making its way around the spam circuit is swiping recipients' user names and passwords and sending them to a Chinese email address.

The Trojan horse, named "picture.exe," is collecting Web browser histories as well as America Online user names and passwords from hard drives, according to security firm Network Associates and recipients of the attachment.

While the Trojan horse is unusual for the amount and variety of information it steals, Network Associates warns that it joins a crowded field of similar email menaces.

"There are hundreds of these kinds of AOL password-stealing Trojans," said Vincent Gullotto, manager of Network Associates' Antivirus Emergency Response Team, or AVERT, which is part of the company's McAfee unit.

Indeed, password-stealing has long been a problem for AOL and other password-protected services. The online giant has gone to some lengths to educate users about the hazards of opening attachments from unfamiliar sources.

A Trojan horse is a program that works in a way that the user does not expect it to. It differs from a virus in that it does not replicate itself.

This Trojan, which Network Associates has dubbed "URLsnoop," adds a file called "note.exe" or "picture.exe" to the run line of the "win.ini" file of the Windows subdirectory. That allows the executable to run the next time the computer is started.

Next, the Trojan horse builds lists of all the .txt and .html files on the user's hard drive, along with all the URLs found in the Internet cache. It then adds that list to a .dat (for data) file and encrypts the data.

If the user has AOL software installed, the program will collect the user name and password.

Once all this information is compiled, the program sends it to an email address in China.

Gullotto said that his team had received numerous reports of "URLsnoop" taking hold during the past week, and that Network Associates' UK division has been fielding reports as well. Network Associates now checks for the Trojan in all of its programs, he said.

It isn't yet clear how successful the program has been in delivering the goods back to its author, according to Gullotto.

"The seriousness of it will depend on whether it succeeds in sending the data," he said, pointing out that the program could glean other user names and passwords from the .html files it swipes.

On online discussion forums related to computer security, participants have been warning each other about the program menace for the past week.

"You could do like I do," advised one poster to "mn.general." "Don't open or download files emailed to you by people or email addresses that you do not know."