Win32/PSW.Wortron.10 [Threat Name] go to Threat
Win32/PSW.Wortron.10.A [Threat Variant Name]
| Category | trojan |
| Size | 14836 B |
| Aliases | Trojan-PSW.Win32.Wortron.10.a (Kaspersky) |
| Worm:Win32/Worton (Microsoft) | |
| W32.Wotron.Worm (Symantec) | |
| Win32.HLLM.Wotron.2 (Dr.Web) |
Short description
Win32/PSW.Wortron.10.A is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. It is able to spread via e-mail. The file is run-time compressed using UPX .
Installation
When executed, the trojan copies itself into the following location:
- %system%\Wininet.exe
The following Registry entries are created:
- [HKEY_CLASSES_ROOT\exefile\shell\open\Command]
- "(Default)" = "%system%\Wininet.exe "%1" %*"
This causes the trojan to be executed on every application start.
Information stealing
The following information is collected:
- login user names for certain applications/services
- login passwords for certain applications/services
- e-mail addresses
- Outlook Express account data
- The Bat! account data
- information about the operating system and system settings
- CPU information
- list of disk devices and their type
- network adapter information
- list of running processes
E-mail addresses are searched for in files with one of the following extensions:
- *.htm*
The collected information is stored in the following files:
- c:\mailz.txt
- %system%\exelib.dll
The trojan attempts to send gathered information to a remote machine.
The trojan sends the information via e-mail. The SMTP protocol is used.
Spreading
Win32/PSW.Wortron.10.A is a trojan that spreads via e-mail.
Subject of the message may be one of the following:
- a Video Greeting
Some of the following strings may be used to form the sender address:
- greetings@vgreetings.com
The messages may contain any of the following texts:
- you have received a videoGreeting from SomeOne
- open attached file to know who have sent it
The attachment is an executable of the trojan.
Its filename may be one also of the following:
- video.exe
Other information
The trojan can terminate processes with any of the following strings in the path:
- ZONALARM.EXE
- OUTPOST.EXE
- AVPM.EXE
- NAVM.EXE
The trojan may create the following files:
- %system%\sysd.dll
- %system%\vlb.dll
- %system%\ip.dll