A trojan named ie0199.exe was mailed to a large group of recipients in
January 1999. The spammed messages were faked to look like coming from
Microsoft and claimed to contain an update for Internet Explorer. The
e-mail contained a 28kB big attachment called IE0199.EXE.
The original mail looked like this:
Date: Mon, 25 Jan 1999 20:00:26 -0500
From: "Microsoft Internet Explorer Support" IEsupport@microsoft.com
To: "Microsoft Internet Explorer User"
Subject: Please Upgrade Your Internet Explorer
1 Microsoft Way
Redmond, WA 98052
As an user of the Microsoft Internet
Explorer, Microsoft Corporation provides
you with this upgrade for your web browser.
It will fix some bugs found in your Internet
Explorer. To install the upgrade, please save
the attached file (ie0199.exe) in some folder
and run it.
For more information, please visit our
web site at www.microsoft.com/ie/
(c) 1995-1998 Microsoft Corporation. All Rights Reserved
When the IE0199.EXE file is run, it extracts two files from its
body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows
system directory. Note: the MPREXE.EXE executable file (not a
DLL) is one of the standard Windows file.
The trojan then registers the MPREXE.DLL file in the system to force
the system to run this file on each reboot. The registration is done
depending on the Windows version either in the system registry, or in
the SYSTEM.INI file in [boot] section in the "drivers=" string. The
MPREXE.DLL file is pointed as auto-executed.
When executed the MPREXE.DLL file just executes the SNDVOL.EXE file
and exits. The SNDVOL.EXE file enables auto-dialing by changing the
system registry Internet options, randomly selects one of three
Bulgarian Web servers (www.btc.bg, www.infotel.bg, ns.infotel.bg),
connects them and sleeps for some time. The trojan does not perform
any other actions.
As a result, the trojan causes lots of network traffic both inside the
infected company and at the Bulgarian servers. The trojan has probably
been written to cause denial-of-service attacks for the Bulgarian