Win32/PSW.Papras [Threat Name] go to Threat

Win32/PSW.Papras.CX [Threat Variant Name]

Category trojan
Size 268288 B
Detection created Dec 11, 2013
Detection database version 9534
Aliases Trojan-PSW.Win32.Tepfer.tfyz (Kaspersky)
  Backdoor:Win32/Vawtrak.A (Microsoft)
  TR/PSW.Papras.CX.2 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware.


The trojan is usually found in the following folder:

  • %commonappdata%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "regsvr32.exe "%commonappdata%\­%malwarefilename%.dat""

A string with variable content is used instead of %malwarefilename% .


The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • csrss.exe
  • dwm.exe
  • lsass.exe
  • lsm.exe
  • services.exe
  • smss.exe
  • svchost.exe
  • taskhost.exe
  • wininit.exe
  • winlogon.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­{%variable1%}]
    • "{%variable2%}" = %variable3%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
    • "TabProcGrowth" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­Safer\­CodeIdentifiers]
    • "DefaultLevel" = 262144
    • "TransparentEnabled" = 1
    • "PolicyScope" = 0
    • "ExecutableTypes" = "WSC VB URL SHS SCR REG PIF PCD OCX MST MSP MSI MSC MDE MDB LNK ISP INS INF HTA HLP EXE CRT CPL COM CMD CHM BAT BAS ADP ADE"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­Safer\­CodeIdentifiers\­0\­Paths\­{%variable4%}]
    • "SaferFlags" = 0
    • "ItemData" = "%folder%\­%programfolder%"

A string with variable content is used instead of %variable1-4% . The %folder% is one of the following strings:

  • %systemvolume%\­Documents and Settings\­All Users\­Application Data\­
  • %systemvolume%\­Program Files (x86)\­
  • %systemvolume%\­Program Files\­

The %programfolder% is one of the following strings:

  • AVAST Software
  • AVG
  • Agnitum
  • Alwil Software
  • AnVir Task Manager
  • Anti-Malware
  • ArcaBit
  • Avira
  • Avira GmbH
  • BitDefender
  • BlockPost
  • Common Files\­Doctor Web
  • Common Files\­G DATA
  • Common Files\­P Tools
  • Common Files\­Symantec Shared
  • DefenseWall
  • DefenseWall HIPS
  • Doctor Web
  • DrWeb
  • ESET
  • FRISK Software
  • G DATA
  • K7 omputing
  • Kaspersky Lab
  • Kaspersky Lab Setup Files
  • Lavasoft
  • Malwarebytes
  • McAfee
  • McAfee.com
  • Microsoft Security Client
  • Microsoft Security Essentials
  • Microsoft\­Microsoft Antimalware
  • Norton AntiVirus
  • Online Solutions
  • P Tools
  • P Tools Internet Security
  • Panda Security
  • Positive Technologies
  • Sandboxie
  • Security Task Manager
  • Spyware Terminator
  • Sunbelt Software
  • Symantec
  • Trend Micro
  • UAenter
  • Vba32
  • Xore
  • Zillya Antivirus
  • a-squared Anti-Malware
  • a-squared HiJackFree
  • avg8
  • f-secure
  • :\­Documents and Settings\­NetworkService\­Local Settings\­Application Data\­F-SecureF-Secure Internet Security
Information stealing

Win32/PSW.Papras.CX is a trojan that steals sensitive information.


The trojan collects the following information:

  • FTP account information
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • digital certificates
  • information about the operating system and system settings
  • installed software
  • cookies

The trojan collects sensitive information when the user browses certain web sites.


The following programs are affected:

  • 32bit FTP
  • 3D-FTP
  • AceFTP
  • Adobe
  • ALFTP
  • Becky! Internet Mail
  • BitKinex
  • BlazeFtp
  • BulletProof FTP
  • Classic FTP
  • CoffeeCup Direct FTP / Free FTP
  • Core FTP
  • CuteFTP
  • Cyberduck Browser
  • DeluxeFTP
  • Directory Opus
  • Easy FTP
  • Epic Privacy Browser
  • FAR Manager
  • FastStone Browser
  • FFFTP
  • FireFTP
  • FlashFXP
  • Fling FTP
  • Flock
  • Fresh FTP
  • Frigate3
  • FTP Commander
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP Now
  • FTP Rush
  • FTP Surfer
  • FTP Voyager
  • FTP++
  • FTPClient
  • FTPInfo
  • FTPShell
  • Global Downloader
  • GoFTP
  • Google Chrome
  • IncrediMail
  • Internet Explorer
  • K-Meleon
  • LeechFTP
  • LinasFTP
  • Microsoft Outlook
  • Mozilla Firefox
  • My FTP
  • NetDrive
  • NetSarang Xftp
  • NexusFile
  • Notepad++
  • NovaFTP
  • Odin Secure FTP Expert
  • PocoMail
  • PuTTY
  • Robo-FTP
  • SeaMonkey
  • SecureFX
  • SmartFTP
  • Staff-FTP
  • The Bat!
  • Thunderbird
  • Total Commander
  • TurboFTP
  • UltraFXP
  • Web Site Publisher
  • WebDrive
  • Windows Commander
  • WinFTP
  • WinSCP
  • WinZip
  • Wise-FTP
  • WS_FTP

The following services are affected:

  • Remote Desktop
  • Windows Live Mail
  • Windows Mail

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (4) URLs. The TCP, HTTP protocol is used.


It can execute the following operations:

  • set up a proxy server
  • run executable files
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • send the list of running processes to a remote computer
  • delete cookies
  • shut down/restart the computer
  • update itself to a newer version
  • uninstall itself
  • modify the content of websites
  • monitor network traffic
  • capture screenshots

The trojan can be used to gain full access to the compromised computer.


The trojan hooks the following Windows APIs:

  • Beep (kernel32.dll)
  • CallWindowProcA (user32.dll)
  • CallWindowProcW (user32.dll)
  • CreateProcessA (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • CreateProcessW (kernel32.dll)
  • DefDlgProcA (user32.dll)
  • DefDlgProcW (user32.dll)
  • DefFrameProcA (user32.dll)
  • DefFrameProcW (user32.dll)
  • DefMDIChildProcA (user32.dll)
  • DefMDIChildProcW (user32.dll)
  • DefWindowProcA (user32.dll)
  • DefWindowProcW (user32.dll)
  • DirectSoundCaptureCreate (dsound.dll)
  • DirectSoundCaptureCreate8 (dsound.dll)
  • DirectSoundCreate (dsound.dll)
  • DirectSoundCreate8 (dsound.dll)
  • DirectSoundFullDuplexCreate (dsound.dll)
  • DirectSoundFullDuplexCreate8 (dsound.dll)
  • FlashWindow (user32.dll)
  • FlashWindowEx (user32.dll)
  • GetAsyncKeyState (user32.dll)
  • GetCursorPos (user32.dll)
  • GetKeyboardState (user32.dll)
  • GetKeyState (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessagePos (user32.dll)
  • GetMessageW (user32.dll)
  • GetProcAddress (kernel32.dll)
  • HttpEndRequestA (wininet.dll)
  • HttpEndRequestW (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetQueryOptionA (wininet.dll)
  • InternetQueryOptionW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetSetOptionA (wininet.dll)
  • InternetSetOptionA (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • LoadLibraryA (kernel32.dll)
  • LoadLibraryA (kernel32.dll)
  • LoadLibraryExA (kernel32.dll)
  • LoadLibraryExA (kernel32.dll)
  • LoadLibraryExW (kernel32.dll)
  • LoadLibraryExW (kernel32.dll)
  • LoadLibraryW (kernel32.dll)
  • LoadLibraryW (kernel32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • PlaySoundA (winmm.dll)
  • PlaySoundW (winmm.dll)
  • PR_Close (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • SetCursorPos (user32.dll)
  • sndPlaySoundA (winmm.dll)
  • sndPlaySoundW (winmm.dll)
  • TlsGetValue (kernel32.dll)
  • VirtualProtect (kernel32.dll)
  • waveOutOpen (winmm.dll)
  • ZwConnectPort (ntdll.dll)
  • ZwRaiseHardError (ntdll.dll)

Win32/PSW.Papras.CX is a trojan that interferes with the operation of some security applications.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow]

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.