Class
Trojan
Platform
Win16

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan

A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).

Read more

Platform: Win16

No platform description

Description

Technical Details

This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses the network and sends random messages to the Internet.

When run for the first time, the Trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section:

SOFTWAREMicrosoftWindowsCurrentVersionRun shell32.exe
The Trojan then terminates with no side effects. On the next rebooting, the Trojan stays in Windows memory as a hidden task, sleeps and periodically initiates Windows Socket APIs and opens a stream socket with TCP/IP protocol for sending messages.

The messages have randomly selected addresses, subject and data. The "Mail From" address is randomly constructed from the following parts:

  • prodigy compuserve kurva putka gerry tetra europe amstel usa bulgaria badsector hacker omega vali-pedali eunet digsys
  • main vt linux aix unix mail www host abc server veliko-tar
  • com edu org mil gov net bg tr gr uk ca ro jp
The "RCPT To" address is randomly selected from the following variants:
gerry@tetra.bg
administrator@tetra.bg
tetranet@tetra.bg
root@vt.bitex.com
peterc@vt.bitex.com
ivanp@vt.bitex.com
root@tarnovo.eunet.bg
master@tarnovo.eunet.bg
webmaster@tarnovo.eunet.bg
root@server.vt.bia-bg.com
webmaster@mail.vt.bia-bg.com
webmaster@tetra.bg
The subject is randomly selected from the following variants:
Ha-ha-ha
Bad Sector wi razkaza igrata :))
Greetings from Bad Sector ! Po-zdrawi
Vleze li wi sega?
Re
Hi, kak e?
Ko staa, ima problemi li
Bad Sector
Kogato grum udari...
etc.
The sentences of the message body are randomly constructed from a large set of verbs, words and sub-sentences, partly they are rude ones, mostly they are in Bulgarian. There is no reason to list them all here.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.