Summary
Kozog is Win32 DDoS (Distributed Denial of Service attack) trojan that was distributed by a hacker (or hackers group) in November 2000. The trojan was sent as email messages with attached file.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
The message text and header looked like that:
-------------------------------------------------------- From: World Travel Agency Ltd. [office4@worldtravel.com] Sent: November 21, 2000 5:31 PM To: All tourists and vacationist Subject: Celebrate the New Millenium! World Travel Agency Ltd. 359 BTC Drive P.O. Box 134108 Seattle, WA 98108-23 USA Dear Sir/Madam Celebrate the New Millenium! Discover the Paradise! We offer the most attractive package for the New Millenium celebrations you have ever seen. Pure nature, modern architecture and high technologies are fused to create the perfect resort. Reasonable prises, correctness, high quality services. Click on the zip-file below to see our offer! Make your neighbours envy! Best Regards, --------------------------------------------------------
The attached file intends to be displayed as ZIP archive, but it is Windows EXE file with the name:
"OFFER2001.ZIP [many spaces] .EXE"
This is trojan's "installer" that will affect computer if it is run. Because of "[spaces]" trick it will be displayed as .ZIP file in many cases, and that can tempt a user to open it.
When the EXE file (trojan's installer) is run, it extracts from itself two more executable files and copies them to Windows system director with names:
MRE.DLL SOUNDV.EXE
Under Win9x and WinNT these files are registered then in auto-run sections in different ways: under WinNT the trojan registers SOUNDV.EXE file in system registry:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run soundv.exe Under Win9x the DLL file is registered in SYSTEM.INI file in [boot] section:
drivers=mre.dll
The trojan then displays fake error message:
Error A requred DLL does not exist.
(original spelling from a trojan's messagebox).
The SOUNDV.EXE file is the DoS trojan itself. The MRE.DLL is a small program that just executes the SOUNDV.EXE on each run. As a result under both Win9x and WinNT the SOUNDV.EXE component will be activated.
When this file is run (on next Windows restart) it will stay active as hidden application (service), then it enables auto-dial option in Internet settings, then performs DoS attack on the Bulgarian server "kozirog.netissat.net".
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.