Trojan-PSW:W32/Papras.DC

Threat description

Details

CATEGORYMalware
TYPETrojan-PSW
PLATFORMW32

Summary

Trojan-PSW.Win32.Papras.DC steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Once executed, the malware creates a copy of itself with the following name in the Windows directory:

  • %windir%\9129837.exe

It creates the following batch file in the current working directory that will be used to delete the original file executed by user:

  • %cwd%\abcdefg.bat

The malware then installs a kernel-mode driver in the Windows directory in order to hide its activities:

  • %windir%\new_drv.sys

The .SYS file is detected as Rootkit.Win32.Agent.SZ.It deletes the following file:

  • %cookies%\index.dat

Papras.DC creates the following process:

  • %windir%\9129837.exe

The following process and files are hidden by the installed rootkit driver:

  • %windir%\9129837.exe
  • %windir%\new_drv.sys

The malware creates the following registry key:

  • HKCU\Software\Microsoft\InetData

The following values are modified:

  • [HKCU\Software\Microsoft\InetData] k1 = 3868AB03
  • [HKCU\Software\Microsoft\InetData] k2 = 438E0B5C
  • [HKCU\Software\Microsoft\InetData] 220
  • [HKLM\System\CurrentControlSet\Services\SharedAccess] Start = 00000004
  • [HKLM\System\CurrentControlSet\Services\wscsvc] Start = 00000004
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] ttool = C:\WINDOWS\9129837.exe

The following functions are hooked in order to steal user information:

  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessA
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • kernel32.dll!CreateProcessW
  • ntoskrnl.exe!NtEnumerateValueKey
  • ntoskrnl.exe!NtQueryDirectoryFile
  • ntoskrnl.exe!NtQuerySystemInformation
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestA
  • wininet.dll!HttpSendRequestW
  • wininet.dll!HttpSendRequestW
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetCloseHandle
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetQueryDataAvailable
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFile
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA
  • wininet.dll!InternetReadFileExA

The malware sniffs for the following information:

  • ICQ, IMAP, FTP, and POP3 logon credentials
  • Information passed through webforms

Papras.DC attempts to establish a connection to the following domain through HTTP in order to pass the stolen information:

  • http://pull.dolcebrava.com

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info