Threat Descriptons



Category :


Type :


Aliases :



A trojan named ie0199.exe was mailed to a large group of recipients in January 1999. The spammed messages were faked to look like coming from Microsoft and claimed to contain an update for Internet Explorer. The email contained a 28kB big attachment called IE0199.EXE.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The original mail looked like this:

Date: Mon, 25 Jan 1999 20:00:26 -0500
 From: "Microsoft Internet Explorer Support"
 To: "Microsoft Internet Explorer User"
 Subject: Please Upgrade Your Internet Explorer

 Microsoft Corporation

 1 Microsoft Way

 Redmond, WA 98052


Dear Sir/Madam
 As an user of the Microsoft Internet
 Explorer, Microsoft Corporation provides
 you with this upgrade for your web browser.
 It will fix some bugs found in your Internet
 Explorer. To install the upgrade, please save
 the attached file (ie0199.exe) in some folder
 and run it.
 For more information, please visit our
 web site at
 (c) 1995-1998 Microsoft Corporation. All Rights Reserved

When the IE0199.EXE file is run, it extracts two files from its body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows system directory. Note: the MPREXE.EXE executable file (not a DLL) is one of the standard Windows file.

The trojan then registers the MPREXE.DLL file in the system to force the system to run this file on each reboot. The registration is done depending on the Windows version either in the system registry, or in the SYSTEM.INI file in [boot] section in the "drivers=" string. The MPREXE.DLL file is pointed as auto-executed.

When executed the MPREXE.DLL file just executes the SNDVOL.EXE file and exits. The SNDVOL.EXE file enables auto-dialing by changing the system registry Internet options, randomly selects one of three Bulgarian Web servers (,,, connects them and sleeps for some time. The trojan does not perform any other actions.

As a result, the trojan causes lots of network traffic both inside the infected company and at the Bulgarian servers. The trojan has probably been written to cause denial-of-service attacks for the Bulgarian systems.



This is the same trojan as described above, but it has been distributed with different names - and within different emails. Here's one sample email:


Sat, 6 Mar 1999 07:24:32 +0200 (EET)


Lidia Steward





 Look at the photos we talked about. I have archived them with WinZip.


 Attachment: pho.exe

Apparently, such messages have been sent to thousands of unsuspecting internet users with a mass-mailing program. The pho.exe file is a extracting executable that will drop the same AntiBTC trojan as described above.

Do not open email attachments sent by strangers.

Peace of mind against online threats

F-Secure Total is a security suite that protects all your phones and computers in real time, 24/7 and with award-winning accuracy. Read more about Total and try it free for 30 days, no credit card required.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.