Trood is a worm that spreads attached to emails. The worm itself is a Windows executable (.EXE file) about 10 KB in length. The worm is able to infect Windows 9x systems only.
When the worm is activated (executed by a user from a attached file), it installs itself to the system and displays a fake message:
Windows TCP/IP Update The system doesn't need an update. Latest version of TCP/IP already present.
To force Windows to run the worm upon the next reboot, the worm copies itself to the Windows system directory with a SYSTRAY.EXE name. As that file usually is registered in the system registry auto-run key, the worm code is activated upon each Windows restart instead of the original SYSTRAY.
The SYSTRAY.EXE is usually active, and locked for writing by Windows as a result. To avoid this, the worm replaces files by using a WININIT.INI file.
To release control to an original SYSTRAY file, the worm, while installing, renames it with a SYSTRAY.SYS name. When the installing worm's routine is complete, it runs this SYSTRAY.SYS file, and the original SYSTRAY program starts.
The worm stays in the Windows memory, registers itself as a hidden application (service), then copies a block of its code to the Win9x system area (as a VxD driver), and hooks TDI (Transport Driver Interface) functions that are responsible for connection and data sending (i.e., the worm spreading routine does not depend on the e-mailer, and is able to infect e-mailers of any type). So, the worm hooks transport protocols similar to firewall utilities.
The worm then monitors all messages that are being sent by SMTP protocol. If a message has no attached file(s), the worm appends its own file as an attachment with a TCPIPUPD.EXE name.
On Saturdays, the worm activates its payload routines that slowly move an active application window to a random direction (outside the desktop), and in five minutes, restarts Windows.
The worm code also contains the text strings:
I-Worm.Win9X.Troodon v1.0 Project Developed by Clau.