This is a Win32 DDoS (Distributed Denial of Service attack) Trojan that was distributed by a hacker (or hackers group) in November 2000. The Trojan was sent as an e-mail message with an attached file.
The message text and header looks as follows:
The attached file intends to be displayed as a ZIP archive, but it is a Windows EXE file with the following name:
This is Trojan “installer” that will affect a computer if it is run. Because of a “spaces” trick, it will be displayed as a .ZIP file in many cases, which could deceive a user to open it.
When the EXE file (Trojan installer) is run, it extracts from itself two more executable files and copies them to the Windows system director with the following names:
Under Win9x and WinNT, these files are then registered in the auto-run sections in different ways: under WinNT, the Trojan registers a SOUNDV.EXE file in the system registry:
Under Win9x, the DLL file is registered in the SYSTEM.INI file in the following[boot] section:
The Trojan then displays the following fake error message:
(the grammar mistake is left as it is in the Trojan code).
The SOUNDV.EXE is the DoS Trojan itself. The MRE.DLL is a small program that just executes the SOUNDV.EXE upon each running. As a result, under both Win9x and WinNT, the SOUNDV.EXE component will be activated.
When this file is run (upon the next Windows restart), it will stay active as a hidden application (service), then it enables the auto-dial option in the Internet settings, then performs a DoS attack on the server “kozirog.netissat.net”.