Trojans are malicious applications that pose themselves as legitimate software in order to trick users to install them. Once on the victim's machine, it may run any number of malicious process to steal vital information or inflict damage to other software.
This Trojan arrives as an executable files (we got it named IE0199.EXE). When it is run, it extracts two files from its body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows system directory. Note: the MPREXE.EXE executable file (not a DLL) is one of the standard Windows files.
The Trojan then registers the MPREXE.DLL file in the system to force the system to run this file upon each reboot. The registration is done depending on the Windows version either in the system registry, or in the SYSTEM.INI file in [boot] section in the "drivers=" string. The MPREXE.DLL file is pointed as auto-executed.
When executed, the MPREXE.DLL file just executes the SNDVOL.EXE file and exits. The SNDVOL.EXE file enables auto-dialing by changing the system registry Internet options, randomly selects one of three Bulgarian Web servers (www.btc.bg, www.infotel.bg, ns.infotel.bg), connects them and sleeps for some time. The Trojan does not perform any other actions.