PWSteal.Omerstroke

[Brad]

PWSteal.Omerstroke is a Trojan horse that monitors the AOL interface and emails passwords to a predetermined address. It also monitors open IM windows in the AOL interface and may send the captured IM messages to a predetermined AOL chatroom

When PWSteal.Omerstroke is executed, it performs the following actions:

   1. Displays a fake error message. The message has the following characteristics:

      Title: Windows
      Body: File not found: 'COMCTLDG32.OCX'

   2. Attempts to copy the file %CurrentFolder%\newestpics.exe as:

      C:\Windows\system\mstasks.exe

      Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

   3. Adds the value:

      "mstasks" = "c:\windows\system\mstasks.exe -quiet"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   4. Monitors the AOL interface. If the user changes the AOL password, the Ttrojan sends an email containing the new password to a predetermined email address on the elitemail.org domain.

   5. Monitors the open IM windows within the AOL interface and may send captured IM messages to a predetermined AOL chatroom.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.omerstroke.html

To delete the value from the registry   
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "mstasks" = "c:\windows\system\mstasks.exe -quiet"

   6. Exit the Registry Editor.