Threat Description



Aliases:Stash, Trojan.PSW.Small.e,
Category: Malware
Platform: W32


Shash consists of a downloader and a data stealing trojan. The downloader was spread in multiple e-mail messages on 7th of November 2003. When activated, it downloads and runs the executable file that is a data stealing trojan.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

The downloader was distributed in multiple e-mails on 7th of November, 2003. The file name of the downloader is:


When the downloader is run by a user, it downloads and activates an executable file from an account on server.The downloaded file is a data stealing trojan based on the code that can be found in Mimail.C worm. When activated, the trojan copies itself as NETSPACE32.EXE file to Windows folder and creates a startup key for its file in the Registry:

 "NetSpace32" = "%windir%\netspace32.exe"

where %windir% is a Windows folder.The trojan stays in Windows memory and monitors open application windows. When a certain window is found, the trojan gets certain information from it, saves it to C:\TMP2993.TMP file and then sends this file to 2 e-mail addresses that are hardcoded in the trojan's body.


Detection in F-Secure Anti-Virus was published on November 10th, 2003 in update:
Detection Type: PC

Description Created: Alexey Podrezov, November 7th, 2003


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More