This program belongs to the family of passwords stealing trojans. It was spread from a public access Web page on the narod.ru server in the beginning on June 2002.
The web page contained the following:
Intermediate Examinations Test papers for mathematics and topics for compositions. Still FREE!
The file residing on the web page is a Trojan installer. When run it drops a Trojan program into the Windows directory, then extracts and createes fake examination topics (in Russian).
The Trojan itself is a Windows PE EXE file about 27Kb in length (compressed by
When executed the Trojan copies itself to the Windows directory under the SYSTEM.EX name and registers this file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun System = %WindowsDir%System.exe
The main function for the CrazyBilets Trojan are collecting cached Windows passwords on victim machines and sending this information to its “master” by direct connection to an SMTP server.