Win32/PSW.Wortron.10 [Threat Name] go to Threat

Win32/PSW.Wortron.10.A [Threat Variant Name]

Category trojan
Size 14836 B
Aliases Trojan-PSW.Win32.Wortron.10.a (Kaspersky)
  Worm:Win32/Worton (Microsoft)
  W32.Wotron.Worm (Symantec)
  Win32.HLLM.Wotron.2 (Dr.Web)
Short description

Win32/PSW.Wortron.10.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It is able to spread via e-mail. The file is run-time compressed using UPX .


When executed, the trojan copies itself into the following location:

  • %system%\­Wininet.exe

The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­exefile\­shell\­open\­Command]
    • "(Default)" = "%system%\­Wininet.exe "%1" %*"

This causes the trojan to be executed on every application start.

Information stealing

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • e-mail addresses
  • Outlook Express account data
  • The Bat!          account data
  • information about the operating system and system settings
  • CPU information
  • list of disk devices and their type
  • network adapter information
  • list of running processes

E-mail addresses are searched for in files with one of the following extensions:

  • *.htm*

The collected information is stored in the following files:

  • c:\­mailz.txt
  • %system%\­exelib.dll

The trojan attempts to send gathered information to a remote machine.

The trojan sends the information via e-mail. The SMTP protocol is used.


Win32/PSW.Wortron.10.A is a trojan that spreads via e-mail.

Subject of the message may be one of the following:

  • a Video Greeting

Some of the following strings may be used to form the sender address:


The messages may contain any of the following texts:

  • you have received a videoGreeting from SomeOne
  • open attached file to know who have sent it

The attachment is an executable of the trojan.

Its filename may be one also of the following:

  • video.exe
Other information

The trojan can terminate processes with any of the following strings in the path:


The trojan may create the following files:

  • %system%\­sysd.dll
  • %system%\­vlb.dll
  • %system%\­ip.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.