Trojan.RegForm

Classification

Malware

Trojan

W32

Trojan.RegForm

Summary

RegForm is trojan that steals internet access passwords and sends them to a hacker via email (through a free web-based email system). The trojan consists of two parts - a DOS part and a Windows part. The DOS part is a registration form filling application and a Windows part is a password stealing utility.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The trojan offers you to become a tester and promises to grant a free access to Internet in Moscow. When the trojan is executed it shows the following text screen (in Russian):

Dear Sirs,

The Softnet Euro company provides you with a free dial-up access
 to Internet via Moscow telephone lines.
This is done to test
 the quality of phone lines and certain remote access servers.

We are inviting you to take part in testing.

To get a free access you need to fill in registration form (see
 below) and to specify your login and password
that you will
 use. This information will be saved to REG_FORM.DAT file in
 encrypted format.

You will have to send this file to our automatic mail robot to
 the following address: euro.softnet@usa.net.
After that your
 password will be enabled and the Internet access phone numbers
 will be sent to you.

This free service is provided from 13:00 till 23:00 during
 working days only.

If you want to get a commercial Internet access please call
 (095) 911-3535.

Press any key
 

Then the trojan asks to fill in registration form (the funny thing is that it doesn't even ask for user's email address to send back Internet access phone numbers):

Please fill in the registration form.

Your last and first names and initials:
 Operating system you are using:
 Modem type you are using:
 Your login to access our system:
 Your private password:
 Please re-enter your password:

Registration is complete. Your information has been saved.
 Please send the created file to the above specified email
 address.

Press any key
 

After doing the above described registration the trojan extracts a small Windows program from its body and from now on this Windows part of a trojan will store all logins and passwords the user inputs to REG_FORM.DAT. If the user finally sends this file to the specified email address a hacker gets all the logins and passwords typed by the user.