Internat.exe and ptsnoop.exe in my msconfig startup, Part 2

Yesterday's Visitor Feedback of the Gazette addressed why two program files (internat.exe and ptsnoop.exe) might be present in the Windows msconfig startup.

To be honest with you, I have never encountered these programs before. The name "internat.exe" seemed to me that it was a purposely misspelled version of the word "Internet" -- most likely misspelled to dupe users into thinking that it was a friendly Internet-related program. In all likelihood, I thought, the program name "internat.exe" could have been a trojan.

I was right. Sort of.

As always, I use Google to sniff for clues when I need to explore possibilities and options. Google pointed in the right direction and provided links to Symantec for the file trojan file internat.exe (also known as PWSteal.Netsnake) and F-Secure for the trojan file ptsnoop.exe.

So far so good.

From the Symantec website, I found that there is a trojan program file called internat.exe which maliciously steals passwords and sends them to the trojan creator. However, I missed the part where the Symantec web site mentions that there is in fact a legitimate file called internat.exe which resides in the %windir%\system directory.

Basim from Iraq writes, "Internat.exe is there in *msconfig.exe* for bilingual machines. The blue small square in the system tray where you can change the language you type in email messages, couldn't be displayed without enabling internat.exe. This applies to bilingual Windows only."

And, to quote from the Symantec web site:

" Please note that there is a legitimate Windows application called %windir%\system\Internat.exe. The Trojan file (also known as internat.exe) is 82.5 KB in length and uses a zip file icon. The "real" Internat.exe is generally about 20 KB in length with a "?" icon.

NOTE: %windir% is a variable that denotes the folder in which Windows is installed. The normal installation folders are C:\Windows or C:\Winnt. "

So, what do you need to do to make sure that the Internat.exe -- if you have it on your system -- is not the trojan?

From my understanding, an infected system will display "Hello. I'm NetSnake." after a system reboot. If you remember seeing a message like this, the trojan is installed on your system and you need to get rid of it.

Alright -- on to the next problem: ptsnoop.exe

Originally, I found a web page on F-Secure which made mention of another trojan program called ptsnoop.exe, which attempts to connect to a web site (which does not exist any more) and tries to take control of mouse movement and window positioning. Once again, I missed the very last paragraph on this page which makes note of a legitimate program called ptsnoop.exe.

David G. sent me his thoughts:

" There is a legitimate program called Ptsnoop.exe, which is related to modem technology. It may interfere with running some programs. For example: PTSNOOP.EXE Interferes with Installation and Running of REALHELP At the bottom of this page is the notation. PTSNOOP is a token program that waits for a program to request the COM port to be opened. Then it makes sure that the modem drivers get loaded if they are not.

PTSNOOP can be found with several different modems, such as the MICOM HSP PCTEL and EPS Technology COMM WAVE PCMCIA modems. It is not mandatory for proper operation, and the manufacturers list removal of PTSNOOP in various steps of their troubleshooting procedures.

I believe the confusion about a Trojan may have come from the existence of a Trojan named "Backdoor.ptsnoop." (e.g. see discussions, Computing.Net - PTSnoop.exe was killing my computer... or; Re: PTsnoop....what is it? - www.ezboard.com). "

That summed it up nicely. Thank you, David.