Trojan.MSIL.Purswapper.a

Payload

Once launched, the Trojan monitors the clipboard and upon detection of the following expressions, which correspond to WebMoney payment system wallets:

R<num1>
U<num1>
Z<num1>
41001<num2>

where <num1> is a random set of 12 numbers, and <num2> is a random set of 9 numbers


It substitutes the found value to the following, respectively:

R5248***0497
U21356***03905
Z35200***35009
41001709***826A

Technical Details

This Trojan has a malicious payload. It is a Windows .Net application (PE EXE file). It is 5120 bytes in size. It is written in Visual Basic .Net.

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: D218C8BE30C360EB4D38034EC55CE239
SHA1: 001A5AF124C57F62920D629E2E2907D00719F264