Category :


Type :


Aliases :



The Barok password stealing trojan was spread by the LoveLetter Internet worm from four different accounts on a SkyInet webserver.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The Barok password stealing trojan was spread by the LoveLetter Internet worm from 4 different accounts on SkyInet webserver.F-Secure AV Research contacted administrators of that server and all the accounts that were spreading the trojan were deleted by 1:00pm GMT, May 4th, 2000.

Barok password stealing trojan is configurable - i.e. it can be configured to use any resolvable smtp server, any email address and any installation filename and any Registry key name.The first discovered version of this password stealing trojan tries to find a hidden window named 'BAROK...' on its startup. If it is present, the trojan exits immediately, otherwise the main routine takes control. The trojan checks for the WinFAT32 subkey in the following Registry key:


If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to the \Windows\System\ directory as WINFAT32.EXE and runs the file from that location. The above modification of the registry key activates the trojan every time Windows starts.Then the trojan sets Internet Explorer startup page to 'about:blank'. After that the trojan tries to find and delete the following keys:

  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds
  • .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

Then the trojan registers a new window class, creates a hidden window titled 'BAROK...' and remains resident in Windows memory as a hidden application.Immediately after startup (and if the Internet connection is present) or when timer counters reach certain values, the trojan loads the MPR.DLL library, calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to '' email address that most likely belongs to the trojan's author. The trojan uses the '' mail server to send emails.

The subject of these emails is 'Barok... email.passwords.sender.trojan'. The trojan also sends the host name, the username and the IP address of the victim in this email.Author's copyright message can be found inside the trojan's body: barok ...i hate go to school suck -> by:spyder @Copyright (c) 2000 GRAMMERSoft Group > Manila,Phils.In addition, there are some encrypted text messages in the trojan's body which it uses for its own purposes.

Peace of mind against online threats

F-Secure Total is a security suite that protects all your phones and computers in real time, 24/7 and with award-winning accuracy. Read more about Total and try it free for 30 days, no credit card required.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.