Trojan.VBS.PWStroy is a script that can modify the Autoexec.bat file so that drive C is reformatted when the computer is restarted. It can also use Microsoft Outlook to send the logged in user's .pwl file (password file) to two email addresses.

This is a VBScript Trojan. This Trojan contains the comment line:

'VBS.Dr.Troyan 2.1

at the top of the code. When the script is run, it does the following:

1. It copies itself to the \Windows\System folder as Kernel32.vbs.
2. Next, it adds the value

   System32

   to the registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run

   so that the Trojan runs when you start Windows.

3. It then reads the registry to determine the name of the logged-on user. Using this information, the Trojan then attempts to locate a file in the \Windows folder that has the same file name as the user name and that has the .pwl extension. (Windows uses .pwl files to store passwords; in this case, the Windows logon password.)
4. It starts Microsoft Outlook and sends the following message to two email addresses:

   Subject: PASSWORD
   Message: PASSWORD FILE GOT>
   Attachment:The .pwl file that contains the Windows logon password.

5. Finally, with a 1-in-120 chance, this script modifies the Autoexec.bat file with instructions to format drive C. It the restarts the computer, which causes the Autoexec.bat file to run.