Once launched, the Trojan monitors the clipboard and upon detection of the following expressions, which correspond to WebMoney payment system wallets:
R<num1> U<num1> Z<num1> 41001<num2>
where <num1> is a random set of 12 numbers, and <num2> is a random set of 9 numbers
It substitutes the found value to the following, respectively:
R5248***0497 U21356***03905 Z35200***35009 41001709***826A
This Trojan has a malicious payload. It is a Windows .Net application (PE EXE file). It is 5120 bytes in size. It is written in Visual Basic .Net.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).