Threat Description

Trojan-PSW:W32/Papras.DC

Details

Category: Malware
Type: Trojan-PSW
Platform: W32

Summary

Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.



Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details

Once executed, the malware creates a copy of itself with the following name in the Windows directory:

  • %windir%\9129837.exe

It creates the following batch file in the current working directory that will be used to delete the original file executed by user:

  • %cwd%\abcdefg.bat

The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:

  • %windir%\new_drv.sys

The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:

  • %cookies%\index.dat

Papras.DC creates the following process:

  • %windir%\9129837.exe

The following process and files are hidden by the installed rootkit driver:

  • %windir%\9129837.exe
  • %windir%\new_drv.sys

The malware creates the following registry key:

  • HKCU\Software\Microsoft\InetData

The following values are modified:

  • [HKCU\Software\Microsoft\InetData] k1 = 3868AB03
  • [HKCU\Software\Microsoft\InetData] k2 = 438E0B5C
  • [HKCU\Software\Microsoft\InetData] 220
  • [HKLM\System\CurrentControlSet\Services\SharedAccess] Start = 00000004
  • [HKLM\System\CurrentControlSet\Services\wscsvc] Start = 00000004
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] ttool = C:\WINDOWS\9129837.exe

The following functions are hooked in order to steal user information:

  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • ntoskrnl.exe!NtEnumerateValueKey
  • ntoskrnl.exe!NtQueryDirectoryFile
  • ntoskrnl.exe!NtQuerySystemInformation
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestW
  • wininet.dll!HttpSendRequestW
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA

The malware sniffs for the following information:

  • ICQ, IMAP, FTP, and POP3 logon credentials
  • Information passed through webforms

Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:

  • http://pull.dolcebrava.com





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More

SWITCH ON FREEDOM