Win32/PSW.Papras [Threat Name] go to Threat

Win32/PSW.Papras.CH [Threat Variant Name]

Category trojan
Size 214016 B
Aliases PWS:Win32/Pesut.A (Microsoft)
  Backdoor.Trojan (Symantec)
Short description

Win32/PSW.Papras.CH installs a backdoor that can be controlled remotely.


When executed, the trojan creates the following files:

  • %temp%\­%variable1%.tmp (69632 B)
  • %commonappdata%\­%variable2%.dat (69632 B)

The trojan tries to load and inject the "%commonappdata%\%variable2%.dat" library into all running processes.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Session Manager\­AppCertDlls]
    • "%variable3%" = "%commonappdata%\­%variable2%.dat"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%" = "rundll32.exe "%commonappdata%\­%variable2%.dat", getInstance 0"

A string with variable content is used instead of %variable1-4% .

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
    • "TabProcGrowth" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "2500" = 3

After the installation is complete, the trojan deletes the original executable file.

The trojan contains both 32-bit and 64-bit program components.

Information stealing

Win32/PSW.Papras.CH is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • user name
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • digital certificates
  • file(s) content
  • list of running processes
  • screenshots

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • set up a proxy server
  • shut down/restart the computer
  • send gathered information

The trojan hooks the following Windows APIs:

  • CreateProcessW (kernel32.dll)
  • CreateProcessA (kernel32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetQueryOptionA (wininet.dll)
  • InternetQueryOptionW (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetSetOptionA (wininet.dll)
  • InternetSetOptionW (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • HttpEndRequestA (wininet.dll)
  • HttpEndRequestW (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • HttpSendRequestExW (wininet.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • PR_Close (nspr4.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­{%variable%}]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.