Virus:TR/PSW.Papras.JN
Date discovered:27/03/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:66.048 Bytes
MD5 checksum:8c00c01185fd4cb20d8a91b307e7e39f
IVDF version:7.01.02.228 - Friday, March 27, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer.Snifula.C
   •  Kaspersky: Trojan-PSW.Win32.Papras.jn
   •  F-Secure: Trojan-PSW.Win32.Papras.jn
   •  Sophos: Troj/Zbot-BS
   •  Eset: Win32/PSW.Papras trojan
   •  Bitdefender: Trojan.Inject.UD


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\9129837.exe




It tries to executes the following files:

– Filename:
   • %WINDIR%\new_drv.sys
Used to hide the process from Task Manager. Detected as: TR/Rootkit.Gen


– Filename:
   • %malware execution directory%\abcdefg.bat
This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ttool"="%WINDIR%\\9129837.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\InetData]
   • "k1"=dword:%hex values%
   • "k2"=dword:%hex values%
   • "version"="5"

 Backdoor The following port is opened:
on a random TCP port in order to provide backdoor capabilities.


Contact server:
The following:
   • http://91.207.61.**********/cgi-bin/cmd.cgi?user_id=%number%&version_id=5&passphrase=%random character string%&socks=%opened port%&version=%version number%&crc=00000000

As a result remote control capability is provided.

Sends information about:
    • Hardware
    • Opened port

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Andreas Feuerstein on Wednesday, April 8, 2009
Description updated by Andreas Feuerstein on Wednesday, April 8, 2009

Back . . . .