Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
Once executed, the malware creates a copy of itself with the following name in the Windows directory:
It creates the following batch file in the current working directory that will be used to delete the original file executed by user:
The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:
The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:
Papras.DC creates the following process:
The following process and files are hidden by the installed rootkit driver:
The malware creates the following registry key:
The following values are modified:
The following functions are hooked in order to steal user information:
The malware sniffs for the following information:
Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:
Date Created: -
Date Last Modified: -