This trojan was sent to several newsgroups in August 1998. It was also mailed directly to thousands of people with a spam email program. The email message presented the trojan as a file named IE080898.EXE and claimed it was a security update for Internet Explorer.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The faked spam message looked like it was coming from Microsoft:
From: IEsupport@microsoft.com (Microsoft Internet Explorer Support)Date: 08/07/98 03:40:04 PMSubject: FREE! Your upgrade for Microsoft Internet Explorer As user of Microsoft Internet Explorer Microsoft Corporationprovide you an upgrade for your Microsoft Internet Explorer.Please run Ie080898.exe to install the upgrade. This file willfix some serious bugs in your Internet Explorer. For more information please visit Microsoft Internet ExplorerHome Page at: http://www.microsoft.com/ie/ Attachment: Ie080898.exe
In fact, the original email message was sent from Bulgaria.
When executed, the trojan installs itself as part of Windows system and randomly sends email messages to the internet. These messages are sent to a list of addresses - obviously to irritate these people.
The trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses network and sends random messages to the Internet.
When run for the first time the trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run shell32.exe
The trojan then terminates with no side effects. On next rebooting the trojan stays in the Windows memory as hidden task, sleeps and periodically inits Windows Socket APIs and opens stream socket with TCP/IP protocol for sending messages.
The messages have random selected addresses, subject and data. The "Mail From" address is randomly constructed from following parts:
1 bulgaria badsector hacker omega vali-pedali eunet digsys 2 main vt linux aix unix mail www host abc server veliko-tar 3 prodigy compuserve kurva putka gerry tetra europe amstel usa 4 com edu org mil gov net bg tr gr uk ca ro jp
For example, bulgaria@main.prodigy.com
The recipient address is randomly selected from these:
gerry@tetra.bg administrator@tetra.bg tetranet@tetra.bg root@vt.bitex.com peterc@vt.bitex.com ivanp@vt.bitex.com root@tarnovo.eunet.bg master@tarnovo.eunet.bg webmaster@tarnovo.eunet.bg root@server.vt.bia-bg.com webmaster@mail.vt.bia-bg.com webmaster@tetra.bg
The subject is random selected from variants:
Ha-ha-ha Bad Sector wi razkaza igrata :)) Greetings from Bad Sector ! Po-zdrawi Vleze li wi sega? Re Hi, kak e? Ko staa, ima problemi li Bad Sector Kogato grum udari...
The sentences of message body are randomly constructed from large set of verbs, words and sub-sentences. Some of these are vulgar, and they are mostly written in Bulgarian.