A file named winuser.exe in %WINDIR% directory (size: 419KB)
Please let BitDefender delete the infected file.
Raul Tosa, BitDefender virus researcher
The trojan has been spammed by email, as being a security update from an antivirus product, and informing about a new virus that is in the wild. The email has the following text (translated from Portuguese):
Attention! Your email Can be blocked.
What does the virus? It sends messages for all your contacts, containing an infected archive with the virus, thus, when opening the message, another one will be infected, and thus will infect others.
The sending of mass-messages by InterNet is considered illegal, and for this reason your email can be blocked. The removal tool is available for download at: http://[REMOVED]/SecurityCheck/update170706.htm
In order to protect your email from being blocked, please use the removal tool and send this email to all your infected contacts.
The email contains an executable file of 419Kbytes. Once run, it makes itself a copy in %WINDIR% folder, and creates the following registry entry, so that it will run every time Windows is started up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" " = C:\%WINDIR%\Winuser.exe
After installation, it notifies the author about the new infected machine by sending an email to:
The trojan is trying to steal Internet banking accounts, by showing the user dialog boxes similar to the online site of the targeted Internet banking company, and requesting the login information to be entered. Once it gathers the account, it will be sent to the attacker.