February 18, 2014
Trojan.PWS.Papras.4 a Remote Administration Tool program. It allows attackers to access an infected computer without the user's knowledge. The Trojan horse consists of several components which include a dropper that, when launched, extracts another component and, if the current user account provides sufficient privileges, modifies the Windows Registry to ensure that the extracted injector module will be launched automatically.
Once the injector is launched, it decompresses the main Trojan modules and injects their code into all the running processes, excluding the few related to Windows’ operation. Trojan.PWS.Papras.4 can infect both 32- and 64-bit processes.
The Trojan ensures the operation of several modules on an infected computer: one of them functions as a VNC server; another works like a SOCKS proxy server. Another module enables the program to make web injections. An additional module (the grabber) is designed to transmit to criminals the data entered by users in web forms in Microsoft Internet Explorer, Mozilla Firefox and Google Chrome, while the Stealer module acquires passwords stored by dozens of popular applications which include email and FTP clients. Finally, the module allows criminals to control an infected machine, even if it is hidden behind a gateway or firewall. Trojan.PWS.Papras.4 can execute the following remote server commands:
- Download, save, and launch the specified program;
- Update the malware;
- Send cookies from Microsoft Internet Explorer, Mozilla Firefox and Google Chrome to the remote server;
- Export digital certificates found on the infected PC and send them to the remote server;
- Transfer the list of running processes to the remote server;
- Delete cookies on the infected computer;
- Enable logging;
- Enable the proxy server;
- Enable the VNC server;
- Install the malware update with a digital signature;
- Launch a program;
- Write a value in the registry or get a value from the registry;
- Search files in the infected system.
This malignant program poses a severe threat because it has an arsenal of features for stealing sensitive information which can be used by criminals to gain unauthorised access to an infected computer, and compromise websites and online accounts. However Trojan.PWS.Papras.4 is successfully detected and removed by Dr.Web, so its users’ computers are well protected against this threat.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.