1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Trojan-PSW:W32/Papras.DC

Trojan-PSW:W32/Papras.DC

Name : Trojan-PSW:W32/Papras.DC
Category:Malware
Type:Trojan-PSW
Platform:W32

Summary

Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system.

It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.

Additional Details

Once executed, the malware creates a copy of itself with the following name in the Windows directory:

  • %windir%\9129837.exe

It creates the following batch file in the current working directory that will be used to delete the original file executed by user:

  • %cwd%\abcdefg.bat

The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:

  • %windir%\new_drv.sys

The .SYS file is detected as Rootkit.Win32.Agent.SZ.

It deletes the following file:

  • %cookies%\index.dat

Papras.DC creates the following process:

  • %windir%\9129837.exe

The following process and files are hidden by the installed rootkit driver:

  • %windir%\9129837.exe
  • %windir%\new_drv.sys

The malware creates the following registry key:

  • HKCU\Software\Microsoft\InetData

The following values are modified:

  • [HKCU\Software\Microsoft\InetData]
k1 = 3868AB03
  • [HKCU\Software\Microsoft\InetData]
k2 = 438E0B5C
  • [HKCU\Software\Microsoft\InetData]
version = 220
  • [HKLM\System\CurrentControlSet\Services\SharedAccess]
Start = 00000004
  • [HKLM\System\CurrentControlSet\Services\wscsvc]
Start = 00000004
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
ttool = C:\WINDOWS\9129837.exe

The following functions are hooked in order to steal user information:

  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • ntoskrnl.exe!NtEnumerateValueKey
  • ntoskrnl.exe!NtQueryDirectoryFile
  • ntoskrnl.exe!NtQuerySystemInformation
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestW
  • wininet.dll!HttpSendRequestW
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA

The malware sniffs for the following information:

  • ICQ, IMAP, FTP, and POP3 logon credentials
  • Information passed through webforms

Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:

  • http://pull.dolcebrava.com