Summary
Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Once executed, the malware creates a copy of itself with the following name in the Windows directory:
- %windir%\9129837.exe
It creates the following batch file in the current working directory that will be used to delete the original file executed by user:
- %cwd%\abcdefg.bat
The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:
- %windir%\new_drv.sys
The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:
- %cookies%\index.dat
Papras.DC creates the following process:
- %windir%\9129837.exe
The following process and files are hidden by the installed rootkit driver:
- %windir%\9129837.exe
- %windir%\new_drv.sys
The malware creates the following registry key:
- HKCU\Software\Microsoft\InetData
The following values are modified:
- [HKCU\Software\Microsoft\InetData] k1 = 3868AB03
- [HKCU\Software\Microsoft\InetData] k2 = 438E0B5C
- [HKCU\Software\Microsoft\InetData] 220
- [HKLM\System\CurrentControlSet\Services\SharedAccess] Start = 00000004
- [HKLM\System\CurrentControlSet\Services\wscsvc] Start = 00000004
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] ttool = C:\WINDOWS\9129837.exe
The following functions are hooked in order to steal user information:
- kernel32.dll!CreateProcessA
- kernel32.dll!CreateProcessA
- kernel32.dll!CreateProcessA
- kernel32.dll!CreateProcessW
- kernel32.dll!CreateProcessW
- kernel32.dll!CreateProcessW
- ntoskrnl.exe!NtEnumerateValueKey
- ntoskrnl.exe!NtQueryDirectoryFile
- ntoskrnl.exe!NtQuerySystemInformation
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestA
- wininet.dll!HttpSendRequestW
- wininet.dll!HttpSendRequestW
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetCloseHandle
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!InternetQueryDataAvailable
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFile
- wininet.dll!InternetReadFileExA
- wininet.dll!InternetReadFileExA
- wininet.dll!InternetReadFileExA
The malware sniffs for the following information:
- ICQ, IMAP, FTP, and POP3 logon credentials
- Information passed through webforms
Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:
- http://pull.dolcebrava.com
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.