Trojan.RegForm

The trojan offers you to become a tester and promises to grant a free access to Internet in Moscow. When the trojan is executed it shows the following text screen (in Russian):

Dear Sirs, The Softnet Euro company provides you with a free dial-up access to Internet via Moscow telephone lines. This is done to test the quality of phone lines and certain remote access servers. We are inviting you to take part in testing. To get a free access you need to fill in registration form (see below) and to specify your login and password that you will use. This information will be saved to REG_FORM.DAT file in encrypted format. You will have to send this file to our automatic mail robot to the following address: euro.softnet@usa.net. After that your password will be enabled and the Internet access phone numbers will be sent to you. This free service is provided from 13:00 till 23:00 during working days only. If you want to get a commercial Internet access please call (095) 911-3535. Press any key

Then the trojan asks to fill in registration form (the funny thing is that it doesn't even ask for user's email address to send back Internet access phone numbers):

Please fill in the registration form. Your last and first names and initials: Operating system you are using: Modem type you are using: Your login to access our system: Your private password: Please re-enter your password: Registration is complete. Your information has been saved. Please send the created file to the above specified email address. Press any key

After doing the above described registration the trojan extracts a small Windows program from its body and from now on this Windows part of a trojan will store all logins and passwords the user inputs to REG_FORM.DAT. If the user finally sends this file to the specified email address a hacker gets all the logins and passwords typed by the user.