Trojan-PSW:W32/Papras.DC Description

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Once executed, the malware creates a copy of itself with the following name in the Windows directory:

%windir%\9129837.exe

It creates the following batch file in the current working directory that will be used to delete the original file executed by user:

%cwd%\abcdefg.bat

The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:

%windir%\new_drv.sys

The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:

%cookies%\index.dat

Papras.DC creates the following process:

%windir%\9129837.exe

The following process and files are hidden by the installed rootkit driver:

%windir%\9129837.exe
%windir%\new_drv.sys

The malware creates the following registry key:

HKCU\Software\Microsoft\InetData

The following values are modified:

[HKCU\Software\Microsoft\InetData] k1 = 3868AB03
[HKCU\Software\Microsoft\InetData] k2 = 438E0B5C
[HKCU\Software\Microsoft\InetData] 220
[HKLM\System\CurrentControlSet\Services\SharedAccess] Start = 00000004
[HKLM\System\CurrentControlSet\Services\wscsvc] Start = 00000004
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] ttool = C:\WINDOWS\9129837.exe

The following functions are hooked in order to steal user information:

kernel32.dll!CreateProcessA
kernel32.dll!CreateProcessA
kernel32.dll!CreateProcessA
kernel32.dll!CreateProcessW
kernel32.dll!CreateProcessW
kernel32.dll!CreateProcessW
ntoskrnl.exe!NtEnumerateValueKey
ntoskrnl.exe!NtQueryDirectoryFile
ntoskrnl.exe!NtQuerySystemInformation
wininet.dll!HttpSendRequestA
wininet.dll!HttpSendRequestA
wininet.dll!HttpSendRequestA
wininet.dll!HttpSendRequestW
wininet.dll!HttpSendRequestW
wininet.dll!InternetCloseHandle
wininet.dll!InternetCloseHandle
wininet.dll!InternetCloseHandle
wininet.dll!InternetQueryDataAvailable
wininet.dll!InternetQueryDataAvailable
wininet.dll!InternetQueryDataAvailable
wininet.dll!InternetReadFile
wininet.dll!InternetReadFile
wininet.dll!InternetReadFile
wininet.dll!InternetReadFileExA
wininet.dll!InternetReadFileExA
wininet.dll!InternetReadFileExA

The malware sniffs for the following information:

ICQ, IMAP, FTP, and POP3 logon credentials
Information passed through webforms

Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:

http://pull.dolcebrava.com

Trojan-PSW:W32/Papras.DC

Summary

Removal

Automatic action

Suspect a file is incorrectly detected (a False Positive)?

Technical Details