Win32/PSW.Papras [Threat Name] go to Threat
Win32/PSW.Papras.CX [Threat Variant Name]
| Category | trojan |
| Size | 268288 B |
| Aliases | Trojan-PSW.Win32.Tepfer.tfyz (Kaspersky) |
| Backdoor:Win32/Vawtrak.A (Microsoft) | |
| TR/PSW.Papras.CX.2 (Avira) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
The trojan does not create any copies of itself.
The trojan is usually a part of other malware.
The trojan is usually found in the following folder:
- %commonappdata%
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%malwarefilename%" = "regsvr32.exe "%commonappdata%\%malwarefilename%.dat""
A string with variable content is used instead of %malwarefilename% .
The trojan creates and runs a new thread with its own program code in all running processes except the following:
- csrss.exe
- dwm.exe
- lsass.exe
- lsm.exe
- services.exe
- smss.exe
- svchost.exe
- taskhost.exe
- wininit.exe
- winlogon.exe
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\AppDataLow\{%variable1%}]
- "{%variable2%}" = %variable3%
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "NoProtectedModeBanner" = 1
- "TabProcGrowth" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "2500" = 3
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
- "DefaultLevel" = 262144
- "TransparentEnabled" = 1
- "PolicyScope" = 0
- "ExecutableTypes" = "WSC VB URL SHS SCR REG PIF PCD OCX MST MSP MSI MSC MDE MDB LNK ISP INS INF HTA HLP EXE CRT CPL COM CMD CHM BAT BAS ADP ADE"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{%variable4%}]
- "SaferFlags" = 0
- "ItemData" = "%folder%\%programfolder%"
A string with variable content is used instead of %variable1-4% . The %folder% is one of the following strings:
- %systemvolume%\Documents and Settings\All Users\Application Data\
- %systemvolume%\Program Files (x86)\
- %systemvolume%\Program Files\
The %programfolder% is one of the following strings:
- AVAST Software
- AVG
- Agnitum
- Alwil Software
- AnVir Task Manager
- Anti-Malware
- ArcaBit
- Avira
- Avira GmbH
- BitDefender
- BlockPost
- Common Files\Doctor Web
- Common Files\G DATA
- Common Files\P Tools
- Common Files\Symantec Shared
- DefenseWall
- DefenseWall HIPS
- Doctor Web
- DrWeb
- ESET
- FRISK Software
- G DATA
- K7 omputing
- Kaspersky Lab
- Kaspersky Lab Setup Files
- Lavasoft
- Malwarebytes
- McAfee
- McAfee.com
- Microsoft Security Client
- Microsoft Security Essentials
- Microsoft\Microsoft Antimalware
- Norton AntiVirus
- Online Solutions
- P Tools
- P Tools Internet Security
- Panda Security
- Positive Technologies
- Sandboxie
- Security Task Manager
- Spyware Terminator
- Sunbelt Software
- Symantec
- Trend Micro
- UAenter
- Vba32
- Xore
- Zillya Antivirus
- a-squared Anti-Malware
- a-squared HiJackFree
- avg8
- f-secure
- :\Documents and Settings\NetworkService\Local Settings\Application Data\F-SecureF-Secure Internet Security
Information stealing
Win32/PSW.Papras.CX is a trojan that steals sensitive information.
The trojan collects the following information:
- FTP account information
- login user names for certain applications/services
- login passwords for certain applications/services
- digital certificates
- information about the operating system and system settings
- installed software
- cookies
The trojan collects sensitive information when the user browses certain web sites.
The following programs are affected:
- 32bit FTP
- 3D-FTP
- AceFTP
- Adobe
- ALFTP
- Becky! Internet Mail
- BitKinex
- BlazeFtp
- BulletProof FTP
- Classic FTP
- CoffeeCup Direct FTP / Free FTP
- Core FTP
- CuteFTP
- Cyberduck Browser
- DeluxeFTP
- Directory Opus
- Easy FTP
- Epic Privacy Browser
- FAR Manager
- FastStone Browser
- FFFTP
- FireFTP
- FlashFXP
- Fling FTP
- Flock
- Fresh FTP
- Frigate3
- FTP Commander
- FTP Control
- FTP Explorer
- FTP Navigator
- FTP Now
- FTP Rush
- FTP Surfer
- FTP Voyager
- FTP++
- FTPClient
- FTPInfo
- FTPShell
- Global Downloader
- GoFTP
- Google Chrome
- IncrediMail
- Internet Explorer
- K-Meleon
- LeechFTP
- LinasFTP
- Microsoft Outlook
- Mozilla Firefox
- My FTP
- NetDrive
- NetSarang Xftp
- NexusFile
- Notepad++
- NovaFTP
- Odin Secure FTP Expert
- PocoMail
- PuTTY
- Robo-FTP
- SeaMonkey
- SecureFX
- SmartFTP
- Staff-FTP
- The Bat!
- Thunderbird
- Total Commander
- TurboFTP
- UltraFXP
- Web Site Publisher
- WebDrive
- Windows Commander
- WinFTP
- WinSCP
- WinZip
- Wise-FTP
- WS_FTP
The following services are affected:
- Remote Desktop
- Windows Live Mail
- Windows Mail
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The TCP, HTTP protocol is used.
It can execute the following operations:
- set up a proxy server
- run executable files
- download files from a remote computer and/or the Internet
- send files to a remote computer
- send the list of running processes to a remote computer
- delete cookies
- shut down/restart the computer
- update itself to a newer version
- uninstall itself
- modify the content of websites
- monitor network traffic
- capture screenshots
The trojan can be used to gain full access to the compromised computer.
The trojan hooks the following Windows APIs:
- Beep (kernel32.dll)
- CallWindowProcA (user32.dll)
- CallWindowProcW (user32.dll)
- CreateProcessA (kernel32.dll)
- CreateProcessAsUserA (advapi32.dll)
- CreateProcessAsUserW (advapi32.dll)
- CreateProcessW (kernel32.dll)
- DefDlgProcA (user32.dll)
- DefDlgProcW (user32.dll)
- DefFrameProcA (user32.dll)
- DefFrameProcW (user32.dll)
- DefMDIChildProcA (user32.dll)
- DefMDIChildProcW (user32.dll)
- DefWindowProcA (user32.dll)
- DefWindowProcW (user32.dll)
- DirectSoundCaptureCreate (dsound.dll)
- DirectSoundCaptureCreate8 (dsound.dll)
- DirectSoundCreate (dsound.dll)
- DirectSoundCreate8 (dsound.dll)
- DirectSoundFullDuplexCreate (dsound.dll)
- DirectSoundFullDuplexCreate8 (dsound.dll)
- FlashWindow (user32.dll)
- FlashWindowEx (user32.dll)
- GetAsyncKeyState (user32.dll)
- GetCursorPos (user32.dll)
- GetKeyboardState (user32.dll)
- GetKeyState (user32.dll)
- GetMessageA (user32.dll)
- GetMessagePos (user32.dll)
- GetMessageW (user32.dll)
- GetProcAddress (kernel32.dll)
- HttpEndRequestA (wininet.dll)
- HttpEndRequestW (wininet.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestExA (wininet.dll)
- HttpSendRequestExW (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetConnectA (wininet.dll)
- InternetConnectW (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetQueryOptionA (wininet.dll)
- InternetQueryOptionW (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetSetOptionA (wininet.dll)
- InternetSetOptionA (wininet.dll)
- InternetWriteFile (wininet.dll)
- LoadLibraryA (kernel32.dll)
- LoadLibraryA (kernel32.dll)
- LoadLibraryExA (kernel32.dll)
- LoadLibraryExA (kernel32.dll)
- LoadLibraryExW (kernel32.dll)
- LoadLibraryExW (kernel32.dll)
- LoadLibraryW (kernel32.dll)
- LoadLibraryW (kernel32.dll)
- PeekMessageA (user32.dll)
- PeekMessageW (user32.dll)
- PlaySoundA (winmm.dll)
- PlaySoundW (winmm.dll)
- PR_Close (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- SetCursorPos (user32.dll)
- sndPlaySoundA (winmm.dll)
- sndPlaySoundW (winmm.dll)
- TlsGetValue (kernel32.dll)
- VirtualProtect (kernel32.dll)
- waveOutOpen (winmm.dll)
- ZwConnectPort (ntdll.dll)
- ZwRaiseHardError (ntdll.dll)
Win32/PSW.Papras.CX is a trojan that interferes with the operation of some security applications.
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\AppDataLow]
The trojan contains both 32-bit and 64-bit program components.