Trojan-PSW.VBS.Half

Class Trojan-PSW
Platform VBS
Description

Technical Details

This Trojan steals user passwords. It is a VBScript virus. The file is 977 bytes in size. The Trojan can be found on webpages. It steals passwords from Win9x systems.

Payload

Once a page containing malicious code has been opened, the Trojan will search directories on the C: drive for files with a *.pwl extension. (These files are used in Win9x systems to store user passwords).

It then uses an ActiveXObject “MSMAPI.MAPISession” to send the passwords to the remote malicious user’s email address (onehalf***4@mail.ru). The message will have the following subject:

“this is test for lame”

and contains the following text:

“hello my friend(c)onehalf***4:”.

Removal instructions

  1. Delete the html page containing malicious code.
  2. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).