Trojan-PWS.Win32.Papras

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Trojan-PWS.Win32.Papras

Postby AlphaCentauri » Sun Mar 15, 2009 9:08 am

This is the first time I've seen this malware name come up. I'm getting a lot of Facebook spoof spam that leads to a website that tries to download Adobe_Player11.exe by meta refresh.

Virustotal.com is down, but Jotti shows very poor detection rate:
Scan taken on 15 Mar 2009 12:47:02 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-PSW:W32/Papras.DL, Trojan-PSW.Win32.Papras.jg
Ikarus Found Trojan-PWS.Win32.Papras
Kaspersky Anti-Virus Found Trojan-PSW.Win32.Papras.jg
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found Mal/EncPk-HJ
VirusBuster Found nothing
VBA32 Found Malware-Cryptor.Win32.General.3 (probable variant)

Apparently this trojan is a keylogger to steal passwords and other personal information. It also installs a rootkit to make it extremely difficult to remove (see http://en.wikipedia.org/wiki/Rootkit )

Add: googling the MD5 number, someone posted their virustotal results elsewhere:
<http://www.virustotal.com/analisis/56e5b68e9381464e624ab4d43afb12c1>
File Adobe_Player11.exe received on 03.14.2009 19:36:41 (CET)
Current status: finished
Result: 2/38 (5.26%)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.14 -
AhnLab-V3 5.0.0.2 2009.03.13 -
AntiVir 7.9.0.114 2009.03.13 -
Authentium 5.1.0.4 2009.03.14 -
Avast 4.8.1335.0 2009.03.13 -
AVG 8.0.0.237 2009.03.14 -
BitDefender 7.2 2009.03.14 -
CAT-QuickHeal 10.00 2009.03.14 -
ClamAV 0.94.1 2009.03.14 -
Comodo 1056 2009.03.14 -
DrWeb 4.44.0.09170 2009.03.14 -
eSafe 7.0.17.0 2009.03.12 Suspicious File
eTrust-Vet 31.6.6388 2009.03.09 -
F-Prot 4.4.4.56 2009.03.13 -
F-Secure 8.0.14470.0 2009.03.14 -
Fortinet 3.117.0.0 2009.03.14 -
GData 19 2009.03.14 -
Ikarus T3.1.1.45.0 2009.03.14 -
K7AntiVirus 7.10.671 2009.03.14 -
Kaspersky 7.0.0.125 2009.03.14 -
McAfee 5553 2009.03.14 -
McAfee+Artemis 5553 2009.03.14 -
McAfee-GW-Edition 6.7.6 2009.03.13 -
Microsoft 1.4405 2009.03.14 -
NOD32 3935 2009.03.13 -
Norman 6.00.06 2009.03.13 -
nProtect 2009.1.8.0 2009.03.14 -
Panda 10.0.0.10 2009.03.14 -
PCTools 4.4.2.0 2009.03.14 -
Prevx1 V2 2009.03.14 -
Rising 21.20.52.00 2009.03.14 -
Sophos 4.39.0 2009.03.14 Mal/EncPk-HJ
Sunbelt 3.2.1858.2 2009.03.13 -
Symantec 1.4.4.12 2009.03.14 -
TheHacker 6.3.3.0.281 2009.03.13 -
TrendMicro 8.700.0.1004 2009.03.13 -
ViRobot 2009.3.13.1648 2009.03.13 -
VirusBuster 4.6.5.0 2009.03.14 -
MD5...: 803ab2de5e6c00c86f76ea2b60a5ee4f

So a few vendors have added definitions since that was done.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5925
Joined: Thu Mar 01, 2007 3:01 am

Re: Trojan-PWS.Win32.Papras

Postby samsx » Sun Mar 15, 2009 3:00 pm

Hmmm I think its Gozi (just another phishing trojan with rootkit function).
Are the malicious domains FastFlux hosted with a TTL of 1800?
User avatar
samsx
Spam Reporter
 
Posts: 205
Joined: Sun Jul 29, 2007 6:16 am

Re: Trojan-PWS.Win32.Papras

Postby AlphaCentauri » Sun Mar 15, 2009 3:08 pm

samsx wrote:Hmmm I think its Gozi (just another phishing trojan with rootkit function).
Are the malicious domains FastFlux hosted with a TTL of 1800?


bingo, I was just reporting some bots now -- five seats, primarily North American IP addresses.

Not sure I'd call 1800 "fast" flux, after seeing waledac move three times a second ;)

Here's a live link:
http://facebook.shared.onlineservlet.personalid-xuj1wco84.accountholder.7636player.com/home.htm

supposedly a video of a woman undressing, starting halfway through the process
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5925
Joined: Thu Mar 01, 2007 3:01 am

Re: Trojan-PWS.Win32.Papras

Postby AlphaCentauri » Sun Mar 15, 2009 3:40 pm

Virustotal is back up. Detection is improving: 12/38 at least recognize it as malware.
(I always wonder why AV programs give such specific names to files when they all get different specific names for the same sample.)

Antivirus Result
a-squared Trojan-PWS.Win32.Papras!IK
AhnLab-V3 -
AntiVir -
Authentium -
Avast -
AVG SHeur2.VZA
BitDefender -
CAT-QuickHeal -
ClamAV -
Comodo -
DrWeb -
eSafe Suspicious File
eTrust-Vet -
F-Prot -
F-Secure Trojan-PSW:W32/Papras.DL
Fortinet W32/Papras.JG!tr.pws
GData -
Ikarus Trojan-PWS.Win32.Papras
K7AntiVirus -
Kaspersky Trojan-PSW.Win32.Papras.jg
McAfee -
McAfee+Artemis Generic!Artemis
McAfee-GW-Edition -
Microsoft TrojanSpy:Win32/Ursnif.B
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx1 Medium Risk Malware
Rising -
Sophos Mal/EncPk-HJ
Sunbelt -
Symantec Infostealer
TheHacker -
TrendMicro -
ViRobot -
VirusBuster -
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5925
Joined: Thu Mar 01, 2007 3:01 am

Re: Trojan-PWS.Win32.Papras

Postby samsx » Sun Mar 15, 2009 3:44 pm

Well it's definitly Gozi.
First time I saw it on October 25th 2008 when he was propagating on spam-mail targeting Wachovia customers. He installs a backdoor on a radom TCP port and capture HTTP/HTTPS and FTP credentials. The stolen credentials will be send to a dropzone hosted on Ural Industrial Company (formerly known as UATelecom). However this time the trojan is calling a C&C hosted on HOSTFRESH HongKong (58.65.232.17).

I already wrote a few posts about this trojan but unfortunately they are all in german :oops:

http://www.abuse.ch/?p=616
http://www.abuse.ch/?p=828
http://www.abuse.ch/?p=975
http://www.abuse.ch/?p=987

In january this year the trojan started a massiv attack agains swiss internet users by targeting the two most popular online newspapers:
http://www.abuse.ch/?p=1021
http://www.abuse.ch/?p=1012
http://www.abuse.ch/?p=1030
User avatar
samsx
Spam Reporter
 
Posts: 205
Joined: Sun Jul 29, 2007 6:16 am


Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest