Threat Description

AntiBTC

Details

Aliases: AntiBTC, IE0199, SNDVOL
Category: Malware
Type:
Platform: W32

Summary


A trojan named ie0199.exe was mailed to a large group of recipients in January 1999. The spammed messages were faked to look like coming from Microsoft and claimed to contain an update for Internet Explorer. The e-mail contained a 28kB big attachment called IE0199.EXE.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


The original mail looked like this:

Date: Mon, 25 Jan 1999 20:00:26 -0500   From: "Microsoft Internet Explorer Support" IEsupport@microsoft.com   To: "Microsoft Internet Explorer User"   Subject: Please Upgrade Your Internet Explorer     Microsoft Corporation     1 Microsoft Way     Redmond, WA 98052     US        Dear Sir/Madam   As an user of the Microsoft Internet   Explorer, Microsoft Corporation provides   you with this upgrade for your web browser.   It will fix some bugs found in your Internet   Explorer. To install the upgrade, please save   the attached file (ie0199.exe) in some folder   and run it.   For more information, please visit our   web site at www.microsoft.com/ie/   --------------------------------------------------------   (c) 1995-1998 Microsoft Corporation. All Rights Reserved  

When the IE0199.EXE file is run, it extracts two files from its body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows system directory. Note: the MPREXE.EXE executable file (not a DLL) is one of the standard Windows file.

The trojan then registers the MPREXE.DLL file in the system to force the system to run this file on each reboot. The registration is done depending on the Windows version either in the system registry, or in the SYSTEM.INI file in [boot] section in the "drivers=" string. The MPREXE.DLL file is pointed as auto-executed.

When executed the MPREXE.DLL file just executes the SNDVOL.EXE file and exits. The SNDVOL.EXE file enables auto-dialing by changing the system registry Internet options, randomly selects one of three Bulgarian Web servers (www.btc.bg, www.infotel.bg, ns.infotel.bg), connects them and sleeps for some time. The trojan does not perform any other actions.

As a result, the trojan causes lots of network traffic both inside the infected company and at the Bulgarian servers. The trojan has probably been written to cause denial-of-service attacks for the Bulgarian systems.


Variant:PHO.EXE

PHOTOS17.EXE

This is the same trojan as described above, but it has been distributed with different names - and within different e-mails. Here's one sample e-mail:

Date:          Sat, 6 Mar 1999 07:24:32 +0200 (EET)         From:          Lidia Steward LidiaSt27@aol.com         To:friends         Subject:       photos         Hi,     Look at the photos we talked about. I have archived them with WinZip.     Lidia         Attachment: pho.exe  

Apparently, such messages have been sent to thousands of unsuspecting internet users with a mass-mailing program. The pho.exe file is a extracting executable that will drop the same AntiBTC trojan as described above.

Do not open e-mail attachments sent by strangers.





Description Details: Analysis: Mikko Hypponen, Peter Szor, F-Secure, 1999


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More