English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.MSIL.Purswapper.a

Detected Aug 28 2010 12:15 GMT
Released Aug 29 2010 00:17 GMT
Published Oct 25 2010 14:24 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan has a malicious payload. It is a Windows .Net application (PE EXE file). It is 5120 bytes in size. It is written in Visual Basic .Net.


Payload

Once launched, the Trojan monitors the clipboard and upon detection of the following expressions, which correspond to WebMoney payment system wallets:

R<num1>
U<num1>
Z<num1>
41001<num2>
where <num1> is a random set of 12 numbers, and <num2> is a random set of 9 numbers

It substitutes the found value to the following, respectively:

R5248***0497
U21356***03905
Z35200***35009
41001709***826A


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: D218C8BE30C360EB4D38034EC55CE239
SHA1: 001A5AF124C57F62920D629E2E2907D00719F264


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.