Win32/Spy.Webmoner [Threat Name] go to Threat

Win32/Spy.Webmoner.NEP [Threat Variant Name]

Category trojan
Size 36352 B
Aliases Win32:InfoStealer-AI (Avast)
Short description

Win32/Spy.Webmoner.NEP is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


When executed, the trojan creates the following files:

  • %webmoneyrootfolder%\­inetmib1.dll
  • %localappdata%\­svc.dll

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­SvcClient]
  • [HKEY_CURRENT_USER\­Software\­SvcClient]
  • [HKEY_CURRENT_USER\­Software\­SvcLockC]
  • [HKEY_CURRENT_USER\­Software\­SvcLockS]

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information related to the following applications:

  • WebMoney Keeper Classic

The trojan attempts to send gathered files to a remote machine.

The trojan contains an URL address. The HTTP protocol is used.

Other information

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • uninstall itself
  • update itself to a newer version
  • delete files
  • collect information about the operating system used
  • disable System Restore

The trojan hooks the following Windows APIs:

  • Module32First (kernel32.dll)
  • SendMessageA (user32.dll)
  • GetWindowTextA (user32.dll)
  • SetWindowTextA (user32.dll)
  • DrawTextA (user32.dll)
  • MessageBoxA (user32.dll)
  • CreateDialogIndirectParamA (user32.dll)
  • HttpOpenRequestA (wininet.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.