My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Trojan.PWS.Papras.4 threatens Windows PCs

February 18, 2014

Primitively designed Trojans constitute a significant portion of the malware received by Doctor Web's virus laboratory for analysis. Complex multi-component programs appear much more rarely. The recently discovered Trojan.PWS.Papras.4 is packed with an impressive array of malignant features and belongs to the latter category of malware. For example, it can steal passwords stored by a variety of applications, transmit data users enter into web forms to criminals and enable them to control the infected machine remotely.

Trojan.PWS.Papras.4 a Remote Administration Tool program. It allows attackers to access an infected computer without the user's knowledge. The Trojan horse consists of several components which include a dropper that, when launched, extracts another component and, if the current user account provides sufficient privileges, modifies the Windows Registry to ensure that the extracted injector module will be launched automatically.

Once the injector is launched, it decompresses the main Trojan modules and injects their code into all the running processes, excluding the few related to Windows’ operation. Trojan.PWS.Papras.4 can infect both 32- and 64-bit processes.

The Trojan ensures the operation of several modules on an infected computer: one of them functions as a VNC server; another works like a SOCKS proxy server. Another module enables the program to make web injections. An additional module (the grabber) is designed to transmit to criminals the data entered by users in web forms in Microsoft Internet Explorer, Mozilla Firefox and Google Chrome, while the Stealer module acquires passwords stored by dozens of popular applications which include email and FTP clients. Finally, the module allows criminals to control an infected machine, even if it is hidden behind a gateway or firewall. Trojan.PWS.Papras.4 can execute the following remote server commands:

  • Download, save, and launch the specified program;
  • Update the malware;
  • Send cookies from Microsoft Internet Explorer, Mozilla Firefox and Google Chrome to the remote server;
  • Export digital certificates found on the infected PC and send them to the remote server;
  • Transfer the list of running processes to the remote server;
  • Delete cookies on the infected computer;
  • Enable logging;
  • Enable the proxy server;
  • Enable the VNC server;
  • Install the malware update with a digital signature;
  • Launch a program;
  • Write a value in the registry or get a value from the registry;
  • Search files in the infected system.

This malignant program poses a severe threat because it has an arsenal of features for stealing sensitive information which can be used by criminals to gain unauthorised access to an infected computer, and compromise websites and online accounts. However Trojan.PWS.Papras.4 is successfully detected and removed by Dr.Web, so its users’ computers are well protected against this threat.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments