Trojan Vawtrak Removal Guide

Do you know what Trojan Vawtrak is?

Trojan Vawtrak is a unique malicious program designed to enter a computer using a clandestine method and steal sensitive information such as logins and passwords. Without a doubt, you have to remove it from your PC as soon as possible before it steals your valuable information. It is distributed using email spam, and once it is on your computer, it will secretly collect sensitive information that can lead to undesirable consequences because it is set to steal baking-related information in particular. In this article, we will talk about its distribution methods, functions, and most importantly, how to get rid of it.

Let us begin with how this malicious program is distributed. It is being circulated in a very similar manner to how most ransomware is distributed. Note that Trojan Vawtrak is not new and was first seen on August 2013. Its older versions infected computers by utilizing the Angler exploit kit. In this case, malicious websites send user web traffic to Angler using HTML, JavaScript or HTTP POST. However, this newest iteration is distributed using email spam. According to our malware researchers, its developers disguise the emails as legitimate. For example, we had heard of instances when its fake emails were disguised as delivery messages from FedEx or transaction notices from American Airlines.

Note that this Trojan mainly targets the computer’s of banks, so the email addresses its sends the fake emails are supposed to be pre-set. According to our researchers, the banks that it currently targets are Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan. Previous iterations targeted German, British, Swiss, and Japanese banks. So, as you can see, now this Trojan is set to target American banks. However, you can never be sure when Trojan Vawtrak will infect your PC as it can be reconfigured to target any computer at any time.

In both cases, the emails contain a Microsoft Word file named as a receipt or a ticket that is supposed to contain relevant details. If the user chooses to open the file, the file will say that he/she must enable macros to view the contents of the document. However, what happens next is an outright computer infection. A batch file is dropped into the system along with a .VBS file and PowerShell script. This batch file is set to run the .VBS file that is prompted to run the PowerShell file. As a result, the PowerShell file downloads Trojan Vawtrak on your computer.

Our malware analysts think that the use of the batch file, PowerShell file, and VBScript I a method used to bypass execution policies that Microsoft Windows implements. The VBS file features an ExecutionPolicy bypass. Thus, this Trojan can infect a computer silently because the .VBS file does not need authorization to run.

Once firmly rooted in your computer, Trojan Vawtrak will spring into action and monitor your computer; it will steal information such as your email credentials. It will also steal information from your web browsers such as Chrome and Firefox. Thus, it might obtain all saved passwords and login names and other important information you might have stored on it. Moreover, it can collect FTP account information. In addition, Trojan Vawtrak can bypass one-time password authentication, and it also has functions such as ATS.

The ATS that is part of this Trojan contains the script that it can inject into your web browser. As a result, this Trojan can interact with the internet browser. Therefore, it is capable of collecting information from targeted websites, such as,,, and so on. It steals this information by taking screenshots or simply obtaining the text and sending it to its server.

Removing Trojan Vawtrak may be a bit tricky because the PowerShell file drops it in randomly named folders such as %AllUsersProfile%\Application Data and %AllUsersProfile%\{random folder name}. For more information, please check the removal instructions presented at the bottom. Needless to say, this malicious application can compromise your computer’s and even your own personal security and privacy, so you must get rid of it. If you find it difficult to delete, then try using SpyHunter, our recommended anti-malware tool.

How to remove this Trojan

  1. While on the desktop, press Windows+E keys.
  2. In the File Explorer’s address bar, enter the following addresses.
    • %AllUsersProfile%\Application Data\{random folder name}\{random filename}.{random file extension}
    • %AllUsersProfile%\{random folder name}\{random filename}.{random file extension}
  3. After successfully navigating and identifying the infection, delete its files.
  4. Empty the Recycle Bin.

In non-techie terms:

Trojan Vawtrakcan infect your computer when you have Microsoft Word macros enabled and open a corrupted Word document that is sent in a fake receipt email from various well-known companies. This malware is set to steal your personal information including logins, passwords, and banking credentials. It specifically targets banks, but that might not always be the case. If youwant to restore your computer’s security, you have to delete it. We recommend using SpyHunder or our manual instructions.