Threat Description



Aliases: Backdoor:W32/Ptsnoop, Backdoor.Ptsnoop
Category: Malware
Type: Backdoor
Platform: W32


A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Ptsnoop is a simple backdoor program written in Visual Basic. Please note that certain software packages for certain modems contain PTSNOOP.EXE files, but these are not trojans. If you are not sure if that file is a trojan or not, use F-Secure Anti-Virus to check it out.


When activated it first looks for active RAS connections and exits immediately if none is found. If a connection is present, the backdoor installs itself to system by copying itself as PTSNOOP.EXE file to \Windows\System\ directory and modifying WIN.INI file. The backdoor adds its execution string after LOAD= variable in [Windows] section of WIN.INI file. During this operation, the WIN.INI file is copied to the WIN.ANA file. The backdoor's execution string is then added and WIN.INI file is deleted. Then WIN.ANA file is renamed to WIN.INI file. This way the backdoor will become active every time Windows starts.


Being active the backdoor tries to connect to the following websites:


When the connection succeeds, the backdoor clips cursor to a certain area and allows a hacker or script on these websites to control mouse movement and window positions. It is not clear why this is done and it is impossible to check any more because the contents of the above mentioned websites were changed or removed. The idea might have been to make a user click on certain areas of a website to download or run a script or binary from there. In any case, this backdoor should be deleted from a system and WIN.INI file should be cleaned from backdoor's execution string after LOAD= variable.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More