Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Once executed, the malware creates a copy of itself with the following name in the Windows directory:
It creates the following batch file in the current working directory that will be used to delete the original file executed by user:
The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:
The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:
Papras.DC creates the following process:
The following process and files are hidden by the installed rootkit driver:
The malware creates the following registry key:
The following values are modified:
The following functions are hooked in order to steal user information:
The malware sniffs for the following information:
Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information: