Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan

A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


Technical Details

This is Win95/98/ME trojan program that attacks Xpresso financial information desktop (see The trojan intends to modify financial transactions, probably to forward these transaction to hacker's bank account. The trojan does that by affecting Java run-time library that is used by Xpresso client which is written in Java.

The trojan was not tested in virus-lab, so we cannot guarantee forwarding money transfers to hacker's or any else account. The fact is that trojan intercepts transactions, and modifies data in transaction control blocks.

The trojan is distributed being attached to Win32 PE EXE files. The trojan code is placed at the end of PE EXE files in virus-like way. When affected file is run, the trojan code gets control and installs main trojan component to the system. The control is then returned to host file.

The trojan cannot affect other PE EXE files by itself. There was a special "dropping" trojan component (command-line Win32 application) found that attached trojan code to victim PE EXE files by user's request.

While installing into the system the trojan extracts from its code VxD component (main trojan component) and writes it to newly created MSREBOOT.VXD file to Windows system directory. This VxD is then registered in "VxD Services" registry key.

There are also more keys created in there:

RebootData = [zero-length data]
Start = 00

First key indicates the date when trojan will uninstall itself from the system. The trojan then wipes its VXD file with zeros, then deletes that file.

Second key is unknown.

Third key is auto-load registry key that forces Windows to load and activate VXD file when Windows is starting up.

When trojan VXD file is activated the main trojan procedure monitors file opening process and looks for Java runtime library JRT3230.DLL. The trojan then skips that library loading, waits when loading is completed and hooks the "do_execute_java_method_vararg" Java function.

The hooker then hooks all data that are processed by that function, including bank transfers that are done with using Xpresso client. The trojan parses transfer request structure, and replaces some fields in that request with other values. It seems the trojan replaces original destination bank account number with hacker's one.

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.