Virus Characteristics

The Win32.Internal trojan collects e-mail addresses stored in files on the victim's hard-drive. It then saves this information and then attempts to send the information in an e-mail message. The reason for gathering these e-mail addresses is unknown.

When the trojan is run for the first time, it installs itself in the Windows directory of the victim's machine as internal.exe and updates the registry with the following key so it will be restarted each time the machine is booted.

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "interna"


Payload

The trojan's payload is delivered in three stages corresponding to the next three times that the machine is rebooted following the trojan's installation. When the machine is rebooted for the first time following installation, the trojan creates the file "vga.dat" which contains a list of filenames found on the hard drive that match certain extensions. These extensions include .htm, .wab, .txt, .mbx, .nab, .eml, .msg and several others. This file is not sent in the e-mail message.

Upon the second reboot after installation, the trojan creates a second file, "vba2.dat", which contains any e-mail addresses found in any of the files listed in vga.dat. This file is sent in an e-mail message to an address, either @263.net, elong.net or elong.com.

Both of these files created during the first two reboots are encrypted.

When the machine is rebooted for the third time after installation, the trojan will attempt to connect to the following e-mail servers:

smtp.263.net
smtp.elong.net
smtp.elong.com

After sending the e-mail, the trojan deletes vga.dat and vba2.dat and creates a 4 byte file called bn.chk. If this file exists when the trojan is run it exits straight away, so it will not send any more e-mail messages.