Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Trojan-PSW:W32/Papras.DC
[Summary] | [Detailed Description]

Name : Trojan-PSW:W32/Papras.DC
Alias:Trojan-PSW.Win32.Papras.dc
Type:Trojan-PSW
Category:Malware
Platform:W32
Radar

Summary
Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system.

It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.
Back to the Top

Detailed Description
Once executed, the malware creates a copy of itself with the following name in the Windows directory:

  • %windir%\9129837.exe

It creates the following batch file in the current working directory that will be used to delete the original file executed by user:

  • %cwd%\abcdefg.bat

The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:

  • %windir%\new_drv.sys

The .SYS file is detected as Rootkit.Win32.Agent.SZ.

It deletes the following file:

  • %cookies%\index.dat

Papras.DC creates the following process:

  • %windir%\9129837.exe

The following process and files are hidden by the installed rootkit driver:

  • %windir%\9129837.exe
  • %windir%\new_drv.sys

The malware creates the following registry key:

  • HKCU\Software\Microsoft\InetData

The following values are modified:

  • [HKCU\Software\Microsoft\InetData]
    k1 = 3868AB03
  • [HKCU\Software\Microsoft\InetData]
    k2 = 438E0B5C
  • [HKCU\Software\Microsoft\InetData]
    version = 220
  • [HKLM\System\CurrentControlSet\Services\SharedAccess]
    Start = 00000004
  • [HKLM\System\CurrentControlSet\Services\wscsvc]
    Start = 00000004
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    ttool = C:\WINDOWS\9129837.exe

The following functions are hooked in order to steal user information:

  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • ntoskrnl.exe!NtEnumerateValueKey
  • ntoskrnl.exe!NtQueryDirectoryFile
  • ntoskrnl.exe!NtQuerySystemInformation
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestW
  • wininet.dll!HttpSendRequestW
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA

The malware sniffs for the following information:

  • ICQ, IMAP, FTP, and POP3 logon credentials
  • Information passed through webforms

Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:

  • http://pull.dolcebrava.com
Back to the Top



F-Secure Corporation

Last Modified: April 16, 2008