Win32/PSW.Wortron.10 [Threat Name] go to Threat

Win32/PSW.Wortron.10.A [Threat Variant Name]

Category trojan
Size 14836 B
Detection created Jul 04, 2002
Signature database version 1276
Aliases Trojan-PSW.Win32.Wortron.10.a (Kaspersky)
  Worm:Win32/Worton (Microsoft)
  W32.Wotron.Worm (Symantec)
  Win32.HLLM.Wotron.2 (Dr.Web)
Short description

Win32/PSW.Wortron.10.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It is able to spread via e-mail. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­Wininet.exe

The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open\­Command]
    • "(Default)" = "%system%\­Wininet.exe "%1" %*"

This causes the trojan to be executed on every application start.

Information stealing

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • e-mail addresses
  • Outlook Express account data
  • The Bat!          account data
  • information about the operating system and system settings
  • CPU information
  • list of disk devices and their type
  • network adapter information
  • list of running processes

E-mail addresses are searched for in files with one of the following extensions:

  • *.htm*

The collected information is stored in the following files:

  • c:\­mailz.txt
  • %system%\­exelib.dll

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail. The SMTP protocol is used.


Spreading

Win32/PSW.Wortron.10.A is a trojan that spreads via e-mail.


Subject of the message may be one of the following:

  • a Video Greeting

Some of the following strings may be used to form the sender address:

  • greetings@vgreetings.com

The messages may contain any of the following texts:

  • you have received a videoGreeting from SomeOne
  • open attached file to know who have sent it

The attachment is an executable of the trojan.


Its filename may be one also of the following:

  • video.exe
Other information

The trojan can terminate processes with any of the following strings in the path:

  • ZONALARM.EXE
  • OUTPOST.EXE
  • AVPM.EXE
  • NAVM.EXE

The trojan may create the following files:

  • %system%\­sysd.dll
  • %system%\­vlb.dll
  • %system%\­ip.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.