|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-PSW:W32/Papras.DC

|
|
|
| Radar |
 |
|
|
|
Summary
|
Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system.
It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ. |
|
|
|
Detailed Description
|
Once executed, the malware creates a copy of itself with the following name in the Windows directory:
It creates the following batch file in the current working directory that will be used to delete the original file executed by user:
The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:
The .SYS file is detected as Rootkit.Win32.Agent.SZ.
It deletes the following file:
Papras.DC creates the following process:
The following process and files are hidden by the installed rootkit driver:
- %windir%\9129837.exe
- %windir%\new_drv.sys
The malware creates the following registry key:
- HKCU\Software\Microsoft\InetData
The following values are modified:
- [HKCU\Software\Microsoft\InetData]
k1 = 3868AB03 - [HKCU\Software\Microsoft\InetData]
k2 = 438E0B5C - [HKCU\Software\Microsoft\InetData]
version = 220 - [HKLM\System\CurrentControlSet\Services\SharedAccess]
Start = 00000004 - [HKLM\System\CurrentControlSet\Services\wscsvc]
Start = 00000004 - [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
ttool = C:\WINDOWS\9129837.exe The following functions are hooked in order to steal user information:
- kernel32.dll!CreateProcessA
- kernel32.dll!CreateProcessA
- kernel32.dll!CreateProcessA
- kernel32.dll!CreateProcessW
- kernel32.dll!CreateProcessW
- kernel32.dll!CreateProcessW
- ntoskrnl.exe!NtEnumerateValueKey
- ntoskrnl.exe!NtQueryDirectoryFile
- ntoskrnl.exe!NtQuerySystemInformation
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestW
- wininet.dll!HttpSendRequestW
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFileExA
- wininet.dll!InternetReadFileExA
- wininet.dll!InternetReadFileExA
The malware sniffs for the following information:
- ICQ, IMAP, FTP, and POP3 logon credentials
- Information passed through webforms
Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:
- http://pull.dolcebrava.com
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: April 16, 2008
|
|
|
|
|