Win32/PSW.Wortron.10 [Threat Name] go to Threat
Win32/PSW.Wortron.10.A [Threat Variant Name]
|Detection created||Jul 04, 2002|
|Signature database version||1276|
Win32/PSW.Wortron.10.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It is able to spread via e-mail. The file is run-time compressed using UPX .
When executed, the trojan copies itself into the following location:
The following Registry entries are created:
- "(Default)" = "%system%\Wininet.exe "%1" %*"
This causes the trojan to be executed on every application start.
The following information is collected:
- login user names for certain applications/services
- login passwords for certain applications/services
- e-mail addresses
- Outlook Express account data
- The Bat! account data
- information about the operating system and system settings
- CPU information
- list of disk devices and their type
- network adapter information
- list of running processes
E-mail addresses are searched for in files with one of the following extensions:
The collected information is stored in the following files:
The trojan attempts to send gathered information to a remote machine.
The trojan sends the information via e-mail. The SMTP protocol is used.
Win32/PSW.Wortron.10.A is a trojan that spreads via e-mail.
Subject of the message may be one of the following:
- a Video Greeting
Some of the following strings may be used to form the sender address:
The messages may contain any of the following texts:
- you have received a videoGreeting from SomeOne
- open attached file to know who have sent it
The attachment is an executable of the trojan.
Its filename may be one also of the following:
The trojan can terminate processes with any of the following strings in the path:
The trojan may create the following files: