English
Deutsch
Français
Español
Italiano
Home
Virus Info
TR/PSW.Papras.JN
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
TR/PSW.Papras.JN - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/PSW.Papras.JN
Date discovered:
27/03/2009
Type:
Trojan
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low to medium
Static file:
Yes
File size:
66.048 Bytes
MD5 checksum:
8c00c01185fd4cb20d8a91b307e7e39f
IVDF version:
7.01.02.228
- Fri, 27 Mar 2009 15:53 (GMT+1)
General
Method of propagation:
• No own spreading routine
Aliases:
• Symantec: Infostealer.Snifula.C
• Kaspersky: Trojan-PSW.Win32.Papras.jn
• F-Secure: Trojan-PSW.Win32.Papras.jn
• Sophos: Troj/Zbot-BS
• Eset: Win32/PSW.Papras trojan
• Bitdefender: Trojan.Inject.UD
Platforms / OS:
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops a file
• Drops a malicious file
• Registry modification
• Steals information
Files
It copies itself to the following location:
•
%WINDIR%
\9129837.exe
It tries to executes the following files:
– Filename:
•
%WINDIR%
\new_drv.sys
Used to hide the process from Task Manager. Detected as:
TR/Rootkit.Gen
– Filename:
•
%malware execution directory%
\abcdefg.bat
This batch file is used to delete a file.
Registry
The following registry key is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "ttool"="
%WINDIR%
\\9129837.exe"
The following registry key is added:
– [HKCU\Software\Microsoft\InetData]
• "k1"=dword:
%hex values%
• "k2"=dword:
%hex values%
• "version"="5"
Backdoor
The following port is opened:
on a random TCP port in order to provide backdoor capabilities.
Contact server:
The following:
• http://91.207.61.**********/cgi-bin/cmd.cgi?user_id=
%number%
&version_id=5&passphrase=
%random character string%
&socks=
%opened port%
&version=
%version number%
&crc=00000000
As a result remote control capability is provided.
Sends information about:
• Hardware
• Opened port
File details
Programming language:
The malware program was written in Delphi.
See a brief description
here
.
Description inserted by Andreas Feuerstein on Wed, 08 Apr 2009 12:36 (GMT+1)
Description updated by Andreas Feuerstein on Wed, 08 Apr 2009 13:28 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
HTML/Crypted.Gen
ADSPY/AdSpy.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/Dldr.Bredolab.AX
APPL/Tool.EvID4226
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info 
Print this page
.gif)
