Microsoft security software detects and removes this threat.

This family of malware steals your usernames and passwords for online games and applications. It can also download other malware.

The trojan is usually installed on your computer when you download other applications, images or software. It is also installed by other malware such as Trojan:Win32/LockScreen.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

This threat can steal your usernames and passwords. After you remove this threat it is a good idea to change your passwords.

The following page has tips on how to create and use strong passwords:

Threat behavior


TrojanSpy:Win32/Usteal has been found bundled with other applications, including:

  • online gaming-related applications, for example World of Tanks, Dota2, and Steam applications
  • images
  • other malware, for example Trojan:Win32/LockScreen

The trojan launches the bundled application after it has run.

It creates an encrypted log file containing the stolen data that it sends to an attacker:

  • %TEMP% \report_<date and time>-<random alphanumeric characters>.bin

It sends your stolen usernames and password to an attacker before it terminates and deletes itself and the log file. It leaves the bundled application, image or other malware running.


Stops applications

TrojanSpy:Win32/Usteal stops the following processes in order to steal your credentials:

  • ICQ Messenger (icq.exe)
  • mail agent (magent.exe)

The trojan checks for the presence of:

  • monitoring applications
  • virtual machines
  • debuggers
  • antimalware products

TrojanSpy:Win32/Usteal will terminate itself to avoid detection if it finds any of the following antimalware processes:

  • Anubis
  • AV products, for example avp.exe
  • FileMon
  • OllyDbg
  • Process Explorer
  • ProcMon
  • RegMon
  • Sandboxie
  • VirtualBox
  • VMWare
  • WireShark

The list of antimalware products that the trojan will look for can be customized by the attacker.

Steals usernames and passwords

TrojanSpy:Win32/Usteal collects stored usernames and passwords from the following web browsers:

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera
  • Safari

The trojan collects FTP credentials (IP, port, usernames, and passwords) from the following FTP software:

  • CoreFTP
  • FAR/FAR2
  • FileZilla
  • FlashFXP
  • FTP Commander
  • SmartFTP
  • Total Commander
  • winscp
  • ws_ftp

It collects stored usernames and passwords from the following instant messaging programs and instant messaging managers:

  • Google Talk
  • ICQ
  • Live Messenger
  • Mail.Ru Agent
  • Miranda
  • MSN Messenger
  • Pidgin
  • Psi
  • QIP 2005
  • QIP Infium

TrojanSpy:Win32/Usteal collects stored usernames and passwords from the following email applications:

  • IncrediMail
  • SeaMonkey
  • The Bat!
  • Thunderbird

The trojan collects stored usernames and passwords from online games and remote desktop applications, including:

  • Full Tilt Poker
  • PokerStars
  • RDP
  • Windows RAS
  • World of Tanks
  • Steals system information

TrojanSpy:Win32/Usteal collects information about your computer system including:

  • Country
  • Installed programs
  • Machine Name
  • OS
  • System Language
  • Users

Sends stolen information to an attacker 
TrojanSpy:Win32/Usteal can send the information it steals to an attacker via:

  • FTP Servers
  • SMTP (email)
  • Remote servers (PHP gate)

Downloads other malware
An attacker can configure TrojanSpy:Win32/Usteal to download and run other malware.


The following system changes may indicate the presence of this malware:

The presence of the following files:

  • %TEMP% \report_<date and time>-<random alphanumeric characters>.bin

The following programs may terminate unexpectedly:

  • ICQ Messenger (icq.exe)
  • mail agent (magent.exe)


Alert level: Severe
First detected by definition: 1.123.1790.0
Latest detected by definition: 1.185.1404.0 and higher
First detected on: Apr 14, 2012
This entry was first published on: Apr 14, 2012
This entry was updated on: Jul 24, 2013

This threat is also detected as:
  • Trojan/Win32.Ruftar (AhnLab)
  • Trojan horse PSW.Generic10.BNFS (AVG)
  • Trojan horse PSW.Generic10.BWOI (AVG)
  • Trojan horse PSW.Generic10.CIUL (AVG)
  • W32/Usteal.A.gen!Eldorado (Command)
  • W32/Troj_Generic.HCCAE (Norman)
  • W32/Troj_Generic.JLPCB (Norman)
  • TR/Spy.Usteal.D.988 (Avira)
  • TR/Spy.Usteal.D.1219 (Avira)
  • Gen:Variant.Zusy.1108 (BitDefender)
  • Trojan.Generic.8712735 (BitDefender)
  • Gen:Variant.Kazy.44973 (BitDefender)
  • Trojan.Generic.KDZ.11916 (BitDefender)
  • Gen:Variant.Symmi.11246 (BitDefender)
  • Trojan.PWS.UFR.3136 (Dr.Web)
  • Trojan.PWS.UFR.3111 (Dr.Web)
  • Trojan.PWS.UFR.3047 (Dr.Web)
  • BackDoor.Comet.152 (Dr.Web)
  • Win32/Injector.AEJK trojan (ESET)
  • Trojan.SuspectCRC (Ikarus)
  • Win32.AdWare.AII (Ikarus)
  • RDN/Generic PWS.y!bn (McAfee)
  • RDN/Generic PWS.y!fg (McAfee)
  • RDN/Generic PWS.y!di (McAfee)
  • BackDoor-FAPT!02357D9CE63E (McAfee)
  • W32/Skintrim.DVYD (Norman)
  • Trojan.PSW.Ldpinch!238F (Rising AV)
  • Mal/Behav-116 (Sophos)
  • Mal/HckPk-D (Sophos)
  • Mal/RufTar-C (Sophos)