Home > Threat descriptions >

Trojan-PSW:W32/Papras.DC

Classification

Category: Malware

Type: Trojan-PSW

Summary


Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Once executed, the malware creates a copy of itself with the following name in the Windows directory:

  • %windir%\9129837.exe

It creates the following batch file in the current working directory that will be used to delete the original file executed by user:

  • %cwd%\abcdefg.bat

The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:

  • %windir%\new_drv.sys

The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:

  • %cookies%\index.dat

Papras.DC creates the following process:

  • %windir%\9129837.exe

The following process and files are hidden by the installed rootkit driver:

  • %windir%\9129837.exe
  • %windir%\new_drv.sys

The malware creates the following registry key:

  • HKCU\Software\Microsoft\InetData

The following values are modified:

  • [HKCU\Software\Microsoft\InetData] k1 = 3868AB03
  • [HKCU\Software\Microsoft\InetData] k2 = 438E0B5C
  • [HKCU\Software\Microsoft\InetData] 220
  • [HKLM\System\CurrentControlSet\Services\SharedAccess] Start = 00000004
  • [HKLM\System\CurrentControlSet\Services\wscsvc] Start = 00000004
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] ttool = C:\WINDOWS\9129837.exe

The following functions are hooked in order to steal user information:

  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • ntoskrnl.exe!NtEnumerateValueKey
  • ntoskrnl.exe!NtQueryDirectoryFile
  • ntoskrnl.exe!NtQuerySystemInformation
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestW
  • wininet.dll!HttpSendRequestW
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA

The malware sniffs for the following information:

  • ICQ, IMAP, FTP, and POP3 logon credentials
  • Information passed through webforms

Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:

  • http://pull.dolcebrava.com