When Backdoor.Mtron is run, it performs the following actions:

   1. Creates a mutex "DDF12-5FFE8GT4-F453F4," which allows only one instance of the worm to execute.

   2. Copies itself as %System%\MSWinSrv.exe

      Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   3. Adds the value:

      "MSWinSrv" = "%system%\MSWinSrv.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. Deletes all %CookiesFolder%\*.txt.

   5. Records activity in windows that are associated with financial institutions. It searches for open windows that have any of the following strings in the title bar:
          * Netbenefits
          * Fidelity
          * e-gold
          * Citibank
          * Citi

   6. Logs keystrokes in these windows, and sends the information to the attacker using IRC.

   7. Allows the attacker to download and run files on the infected computer.


 To delete the value from the registry

WARNING: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

   1. Click Start > Run. (The Run dialog box appears.)
   2. Type regedit

      and then click OK. (The Registry Editor opens.)

   3. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "MSWinSrv"="%system%\MSWinSrv.exe"

   5. Exit the Registry Editor.