WebMoney Users Are Once Again in a "High-Risk" Group

16 Oct 2001
Virus News

The latest Trojan program goes after WebMoney purses.

Kaspersky Lab, an international data-security software developer, announces the detection of the new Trojan, "KWM," which allows malefactors imperceptibly to control infected computers and gain access to the personal payment accounts of WebMoney users.

The method by which "KWM" penetrates a computer is rather complicated: firstly, a user, having been drawn to an interesting description, must upload the file-carrying Trojan program (or, "dropper") from a Web site and execute it. At the moment, two versions of the "dropper" have been detected after having been spread on many public Web sites in the following files: PHOTO.SCR (66K6) and Sponsors_pay_WM.EXE (70 K6) (file names could change).

Upon start-up, the dropper does in fact display a photo of an unknown woman and "contract-for-service" conditions. Simultaneously from a remote Web site, unbeknownst to a user, the Trojan program itself is downloaded and installed to a computer. This allows malefactors to run any file operation (start-up, deleting, Internet transfer etc.) and obtain personal information and passwords.

It is particularly important to note that "KWM" specifically searches on disks for WebMoney service files and sends them to a remote FTP site. At the same time, the Trojan installs a "key tracker" on an infected computer, which imperceptibly records all keystrokes. In this way, the aforementioned malefactors are able to get WebMoney file passwords, and, circumventing the encrypted defense, find out the contents of such files. As a result, a computer user could soon learn his/her credit is gone along with his/her personal-payment account.

"KWM" is the latest malicious program specifically targeting WebMoney, the first being "Eurosol" that was detected on May 18 of this year. It is likely that this latest Trojan is also the work of the "Eurosol" writer.

In order to avoid infection by "KWM," Kaspersky Lab once again reminds users to be especially careful when dealing with files downloaded from the Internet, and under no circumstances open them without first having conducted an anti-virus scan.

Defense procedures thwarting "KWM" are already included in the latest daily Kaspersky Anti-Virus database updates.

A more detailed description of the "KWM" Trojan can be found in the Kaspersky Anti-Virus Encyclopedia.