Trood is a worm that spreads attached to e-mails. The worm itself is a Windows application (EXE file) about 10 KB in length. The worm is able to infect Windows 9x systems only.
When the worm is activated (executed by a user from a attached file), it installs itself to the system and displays a fake message:
Windows TCP/IP Update The system doesn't need an update. Latest version of TCP/IP already present.
The worm stays in the Windows memory, registers itself as a hidden application (service), then copies a block of its code to the Win9x system area (as a VxD driver), and hooks TDI (Transport Driver Interface) functions that are responsible for connection and data sending (i.e., the worm spreading routine does not depend on the e-mailer, and is able to infect e-mailers of any type). So, the worm hooks transport protocols similar to firewall utilities.
The worm then monitors all messages that are being sent by SMTP protocol. If a message has no attached file(s), the worm appends its own file as an attachment with a TCPIPUPD.EXE name.
To force Windows to run the worm upon the next reboot, the worm copies itself to the Windows system directory with a SYSTRAY.EXE name. As that file usually is registered in the system registry auto-run key, the worm code is activated upon each Windows restart instead of the original SYSTRAY.
The SYSTRAY.EXE is usually active, and locked for writing by Windows as a result. To avoid this, the worm replaces files by using a WININIT.INI file.
To release control to an original SYSTRAY file, the worm, while installing, renames it with a SYSTRAY.SYS name. When the installing worm's routine is complete, it runs this SYSTRAY.SYS file, and the original SYSTRAY program starts.
On Saturdays, the worm activates its payload routines that slowly move an active application window to a random direction (outside the desktop), and in five minutes, restarts Windows.
The worm code also contains the text strings:
I-Worm.Win9X.Troodon v1.0 Project Developed by Clau.