Trojan Vawtrak

What is Trojan Vawtrak?

Trojan Vawtrak is a dangerous threat that can cause serious security and privacy issues if it manages to sneak onto your system. Our malware specialists at have categorized this malicious program as a banking Trojan. This infection can steal sensitive information from you, such as banking details and passwords. Therefore, you may not “only” lose money from your accounts but it is also possible that you become the victim of an identity theft. None of these scenarios are anyone’s desire. We are here to help you by sharing what we have found after careful research. But before we go into details, we must tell you that we recommend that you remove Trojan Vawtrak right away if you want to protect your privacy and your saved data. Please continue reading to find out more about this banking Trojan infection.

Where does Trojan Vawtrak come from?

Our research shows that this Trojan is very similar to ROVNIX in certain aspects but we have also found that this infection had previous variants, too. The older versions seem to have applied a different distribution method (exploit kits). This new version, however, is spreading via spam e-mails. In fact, this method is used most commonly by Trojans. Even though spam filters are trying to keep up with cyber criminals, it seems that crooks are still at least one step ahead. The basic secret of such Trojans and spams is deception. In other words, these e-mails and their attached malicious executable files pretend to be something else; and mostly something you would want to see right away.

Our malware researchers have found that Trojan Vawtrak can come in fake mail delivery messages seemingly coming from FedEx but it is also possible that you get a fake e-mail about the purchase of a flight ticket from American Airlines. The biggest problem is not that you open these mails but that you want to download and view the attached Word document. Unfortunately, this file contains macro code that will launch this banking Trojan once you double-click this file. As you can see, a couple of clicks, but mainly one single click on the wrong content can start up such a dangerous infection as this Trojan. Therefore, we advise you to think twice before opening suspicious or questionable e-mails, let alone their attachments. If you are in doubt, you can always contact the sender to check if this mail and its content were meant for you. It may already be late but you need to delete Trojan Vawtrak the moment you realize its presence.

How does Trojan Vawtrak work?

This infection actually uses three files to initiate its attack. After running the infectious .docx file, you will be tricked into believing that you need to enable macros since otherwise you cannot see the content of the document. Even if there is a security warning in the top-left corner, you will most likely enable macros because all you can see is unreadable characters. Once you allow macros, two things happen: the document changes into a readable made-up invoice and the malicious code starts working. This is when the three files are actually dropped onto your system. In order of execution, these are: a batch file, a .VBS file, and a PowerShell script. After going through this chain, Trojan Vawtrak arrives and starts up its vicious attack against your precious personal data.

This banking Trojan mostly targets the biggest banks, such as Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan, through different methods, including site injections, screenshots, and grabbing. No sensitive information is safe anymore if this infection has set foot on your system. It can target major e-mail provider, online webshop, and social networking websites as well to retrieve your account information (user names and passwords). Cyber criminals can use the collected information to commit online frauds of all kinds. If you understand the danger in all these scenarios, we hope that you will not hesitate to act and remove Trojan Vawtrak from your system.

How to delete Trojan Vawtrak

The only difficulty that emerges when it comes to eliminating Trojan Vawtrak is that it uses random names for its folder and the file names as well, which have random extensions on top of all this. So it may be a bit tricky and hard for inexperienced users to detect it and locate the malicious folder. We have included a guide that should help you with the necessary steps if you decide to go after this beast barehanded, i.e., manually. However, if you are not the manual type of user, it is possible that you would prefer an automated solution that is more efficient after all. Therefore, we recommend that you use a professional malware removal tool to safeguard your PC from all possible malware attacks. If you have any questions regarding how to delete Trojan Vawtrak, please leave us a comment below.

Remove Trojan Vawtrak from Windows

  1. Tap Win+E.
  2. Locate and delete the malicious .docx file you download from the spam mail.
  3. Delete these suspicious random-name folders:
    %AllUsersProfile%\{random folder name}\
    %AllUsersProfile%\Application Data\{random folder name}\ (Windows XP)
  4. Empty the Recycle Bin and reboot your system.
100% FREE spyware scan and
tested removal of Trojan Vawtrak*

Leave a Comment

Enter the numbers in the box to the right *