Parent class: TrojWare
Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.Class: Trojan
A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).Read more
Platform: Win16
No platform descriptionDescription
Technical Details
This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses the network and sends random messages to the Internet.
When run for the first time, the Trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section:
SOFTWAREMicrosoftWindowsCurrentVersionRun shell32.exeThe Trojan then terminates with no side effects. On the next rebooting, the Trojan stays in Windows memory as a hidden task, sleeps and periodically initiates Windows Socket APIs and opens a stream socket with TCP/IP protocol for sending messages.
The messages have randomly selected addresses, subject and data. The "Mail From" address is randomly constructed from the following parts:
- prodigy compuserve kurva putka gerry tetra europe amstel usa bulgaria badsector hacker omega vali-pedali eunet digsys
- main vt linux aix unix mail www host abc server veliko-tar
- com edu org mil gov net bg tr gr uk ca ro jp
gerry@tetra.bg administrator@tetra.bg tetranet@tetra.bg root@vt.bitex.com peterc@vt.bitex.com ivanp@vt.bitex.com root@tarnovo.eunet.bg master@tarnovo.eunet.bg webmaster@tarnovo.eunet.bg root@server.vt.bia-bg.com webmaster@mail.vt.bia-bg.com webmaster@tetra.bgThe subject is randomly selected from the following variants:
Ha-ha-ha Bad Sector wi razkaza igrata :)) Greetings from Bad Sector ! Po-zdrawi Vleze li wi sega? Re Hi, kak e? Ko staa, ima problemi li Bad Sector Kogato grum udari... etc.The sentences of the message body are randomly constructed from a large set of verbs, words and sub-sentences, partly they are rude ones, mostly they are in Bulgarian. There is no reason to list them all here.
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com