| Description:
|
Details
Trojan.Win32.AntiBTC
This Trojan arrives as an executable files (we got it named IE0199.EXE). When it is run, it extracts two files from its body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows system directory. Note: the MPREXE.EXE executable file (not a DLL) is one of the standard Windows files.
The Trojan then registers the MPREXE.DLL file in the system to force the system to run this file upon each reboot. The registration is done depending on the Windows version either in the system registry, or in the SYSTEM.INI file in [boot] section in the "drivers=" string. The MPREXE.DLL file is pointed as auto-executed.
When executed, the MPREXE.DLL file just executes the SNDVOL.EXE file and exits. The SNDVOL.EXE file enables auto-dialing by changing the system registry Internet options, randomly selects one of three Bulgarian Web servers (www.btc.bg, www.infotel.bg, ns.infotel.bg), connects them and sleeps for some time. The Trojan does not perform any other actions.
As a result, the only possible target of this Trojan is to overhear local Bulgarian telephone lines. |
