Internat.exe and ptsnoop.exe in my msconfig startup, Part 2
Category: Windows
by Dennis Faas, infopackets editor
http://www.infopackets.com
Yesterday's Visitor Feedback of the Gazette addressed why two program files
(internat.exe and ptsnoop.exe) might be present in the Windows msconfig
startup.
To be honest with you, I have never encountered these
programs before. The name "internat.exe" seemed to me that it was a
purposely misspelled version of the word "Internet" -- most likely
misspelled to dupe users into thinking that it was a friendly Internet-related
program. In all likelihood, I thought, the program name "internat.exe"
could have been a trojan.
I was right. Sort of.
As always, I use Google to sniff for
clues when I need to explore possibilities and options. Google pointed
in the right direction and provided links to
Symantec for the file trojan file internat.exe (also known as
PWSteal.Netsnake) and
F-Secure
for the trojan file ptsnoop.exe.
So far so good.
From the Symantec website, I found that there is a trojan program file called internat.exe which maliciously steals passwords and sends them to the trojan
creator.
However, I missed the part where the Symantec web site mentions that there is in fact a legitimate file called internat.exe which resides in the
%windir%\system directory.
Basim from Iraq writes, "Internat.exe is there in *msconfig.exe* for
bilingual machines. The blue small square in the system tray where you can
change the language you type in email messages, couldn't be displayed
without enabling internat.exe. This applies to bilingual Windows only."
And, to quote from the Symantec web site:
" Please note that there is a
legitimate
Windows application called %windir%\system\Internat.exe.
The Trojan file (also known as internat.exe) is 82.5 KB in length and uses
a zip file
icon. The "real" Internat.exe is generally about 20 KB in length with a
"?" icon.
NOTE: %windir% is a variable that denotes the folder in which
Windows is installed. The normal installation folders are C:\Windows or
C:\Winnt. "
So, what do you need to do to make sure that the Internat.exe -- if you
have it on your system -- is not the trojan?
From my understanding, an infected system will display "Hello. I'm NetSnake." after a system reboot. If you remember seeing a message
like this, the trojan is installed on your system and
you need to get rid of it.
Alright -- on to the next problem: ptsnoop.exe
Originally, I found a web page on F-Secure which made mention of another
trojan program called ptsnoop.exe, which attempts to connect to a web
site (which does not exist any more) and tries to take control of mouse
movement and window positioning. Once again, I missed the very last
paragraph on this page which makes note of a
legitimate
program called
ptsnoop.exe.
David G. sent me his thoughts:
"
There is a legitimate program called Ptsnoop.exe, which is related to
modem technology.
It may interfere with running some programs.
For example: PTSNOOP.EXE Interferes with Installation and Running of
REALHELP At the bottom of this page is the notation. PTSNOOP is
a token program that waits for a program to request the COM port to be
opened. Then it makes sure that the modem drivers get loaded if they are
not.
PTSNOOP can be found with several different modems, such as the MICOM HSP
PCTEL and EPS Technology COMM WAVE PCMCIA modems. It is not mandatory for
proper operation, and the manufacturers list removal of PTSNOOP in various
steps of their troubleshooting procedures.
I believe the confusion about a Trojan may have come from the existence
of a Trojan named "Backdoor.ptsnoop."
(e.g. see discussions,
Computing.Net - PTSnoop.exe was killing my computer... or;
Re: PTsnoop....what is it? - www.ezboard.com). "
That summed it up nicely. Thank you, David.
The hard lesson learned
While I am sure many of you appreciate that I do put a lot of hard work
and effort into the newsletter, the truth is that I have been under a lot of
pressure to set things straight on the web site (automation and web
re-design). The infopackets Gazette newsletter has a wealth of
information (at least, that's what I'm told by a lot of readers that email
me!) -- but all the newsletters need to be presented in a coherent manner so that users are
able to retrieve information quickly and efficiently.
And so, for the last 6 weeks, I've been racking my brains
I've been busy
writing my own scripting programs that will
automate many
of the dreaded webmaster-ing tasks that I have to deal with on a daily
basis. This takes a lot of time, and I've been focusing heavily on
this aspect.
As a result of my focus on other aspects of the web site, my accuracy has slipped
during the presentation of
the last
newsletter. I whole-heartedly apologize
for this; at the same time, I would like to thank all of you who sent me
nice emails (not all of them were nice!) to help 'set the record straight'
regarding internat.exe and ptsnoop.exe.
One last note There's only 1 of me and almost 35,000 of you. But I love to hear
from everyone and I do make an attempt to answer all my emails. In
short,
I really love doing this
and wouldn't trade it for the world -- even the weight on my shoulder is a
bit heavy at times. | 
