Fandom

Malware Wiki

Trood

1,321pages on
this wiki
Add New Page
Comments0 Share

Email-Worm.Win32.Trood or Trood is a worm that spreads through email on Microsoft Windows.

BehaviorEdit

Trood is a worm that spreads attached to e-mails. The worm itself is a Windows application (EXE file) about 10 KB in length. The worm is able to infect Windows 9x systems only.

When the worm is activated (executed by a user from a attached file), it installs itself to the system and displays a fake message:

Windows TCP/IP Update

The system doesn't need an update.

Latest version of TCP/IP already present.

Transmission Edit

The worm stays in the Windows memory, registers itself as a hidden application (service), then copies a block of its code to the Win9x system area (as a VxD driver), and hooks TDI (Transport Driver Interface) functions that are responsible for connection and data sending (i.e., the worm spreading routine does not depend on the e-mailer, and is able to infect e-mailers of any type). So, the worm hooks transport protocols similar to firewall utilities.

The worm then monitors all messages that are being sent by SMTP protocol. If a message has no attached file(s), the worm appends its own file as an attachment with a TCPIPUPD.EXE name.

Activation Edit

To force Windows to run the worm upon the next reboot, the worm copies itself to the Windows system directory with a SYSTRAY.EXE name. As that file usually is registered in the system registry auto-run key, the worm code is activated upon each Windows restart instead of the original SYSTRAY.

The SYSTRAY.EXE is usually active, and locked for writing by Windows as a result. To avoid this, the worm replaces files by using a WININIT.INI file.

To release control to an original SYSTRAY file, the worm, while installing, renames it with a SYSTRAY.SYS name. When the installing worm's routine is complete, it runs this SYSTRAY.SYS file, and the original SYSTRAY program starts.

Payload Edit

On Saturdays, the worm activates its payload routines that slowly move an active application window to a random direction (outside the desktop), and in five minutes, restarts Windows.

The worm code also contains the text strings:

I-Worm.Win9X.Troodon v1.0 Project

Developed by Clau.

VideosEdit

Email-Worm.Win3202:41

Email-Worm.Win32.Trood

Email-Worm.Win32.Trood

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.