Please note that certain software packages for certain modems
contain PTSNOOP.EXE files, but these are not trojans. If you are
not sure if that file is a trojan or not, use F-Secure Anti-Virus
to check it out.
Ptsnoop is a simple backdoor program written in Visual Basic.
Being activated it first looks for active RAS connections and
exits immediately if none is found.
If a connection is present, the backdoor installs itself to
system by copying itself as PTSNOOP.EXE file to \Windows\System\
directory and modifying WIN.INI file. The backdoor adds its
execution string after LOAD= variable in [Windows] section of
WIN.INI file. Diring this operation WIN.INI file gets copied to
WIN.ANA file, the backdoor's execution st ring is then added and
WIN.INI file is deleted. Then WIN.ANA file is renamed to WIN.INI
file. This way the backdoor will become active every time Windows
starts.
Being active the backdoor tries to connect to the following
websites:
When the connection succeeds, the backdoor clips cursor to a
certain area and allows a hacker or script on these websites to
control mouse movement and window positions. It is not clear why
this is done and it is impossible to check any more because the
contents of the above mentioned websites were changed or removed.
The idea might have been to make a user click on certain areas of
a website to download or run a script or binary from there. In
any case, this backdoor should be deleted from a system and
WIN.INI file should be cleaned from backdoor's execution string
after LOAD= variable.
[Analysis: Alexey Podrezov; F-Secure Corp.; September 2001]
![](/images/pixel.gif"){kind=tracking}
