Date: Thu, 28 Jan 1999 20:12:39 -0500
From: Mark E. Duck <duck@AQUASCAPE.COM>
To: BUGTRAQ@netspace.org
Subject: E-mailed Trojan


There is a trojan horse circulating the Internet as an attachment in email
with a spoofed email address of Microsoft Corporation. It contains an
announcement and an attachment that is supposedly targeted at registered
users of MS Internet Explorer. A copy of the email was not available for
examination, but the attachment was. The attachment is called ie0199.exe and
is represented as a HOTFIX for IE.

When executed it deletes sndvol32.exe from the %SystemRoot%\System32
directory, installs %SystemRoot%\System\sndvol.exe, creates a registry key
value HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Default with a
value of %SystemRoot%\System\sndvol.exe. This key causes execution of
sndvol.exe after logging into the system. This is malicious code that
continually half opens TCP connections on various ports to www1.infotel.bg.

You must delete %SystemRoot%\System\sndvol.exe, terminate the running
sndvol.exe process, remove the key (see above), and restore
%SYSTEMROOT%\System32\sndvol32.exe with a known good copy (if required) to
remove the trojan.

Thanks go out to ET, Ranger Rick, Homer, and Raz for their assistance on
tracking this down and helping me kill it. Public attribution of the authors
of this report is acceptable and expected.

Mark E. Duck, Owner
AquaScape, Internet Services  http://www.aquascape.com
"Those who desire to give up Freedom, to gain Security, will not, and do not
deserve, either." -- Thomas Jefferson