Home / malware Infostealer.Predapan
First posted on 28 February 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Predapan.
Explanation :
When the Trojan is executed, it copies itself to the following location:
C:\Users\%UserProfile%\Application Data\Roaming\WindowsUpdate.exe
The Trojan may create the following files:
C:\Users\%UserProfile%\Application Data\Roaming\pid.txtC:\Users\%UserProfile%\Application Data\Roaming\pidlock.txt%Temp%\holderskypeview%Temp%\holderprodkey.txt%Temp%\holderwb.txt%Temp%\holdermail.txt
The Trojan may modify the following file:
%System%\drivers\etc\hosts
The Trojan may set the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "1"
The Trojan may create the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update: C:\Users\%UserProfile%\Application Data\Roaming\WindowsUpdate.exe
The Trojan displays an error message to hide its presence and convince the user the file is corrupted when it infects the compromised computer.
Note: The message displays the following:
"Error
Client Version Not Supported"
The Trojan opens a back door, and connects to the following location:
smtp.openmailbox.org
The Trojan may steal the following information from the compromised computer:
KeystrokesClipboard dataScreenshotsSystem informationMinecraft login informationStored web browser passwordsStored email passwordsSkype contacts listThe Trojan may steal CD keys stored in the registry for popular Windows games and software, including the following:
Windows OSSplinter Cell: Chaos TheorySplinter Cell: Pandora TomorrowCall of DutyAdobe GoliveNero 7ACDSystems PicAViewAdobe Photoshop 7
The Trojan may perform the following actions:
Allow the attacker to specify and FTP server to upload stolen data toAllow the attacker to specify a URL pointing to a PHP script used to upload stolen dataRun filesModify host filesSend email to the attacker containing confidential informationUse FTP or HTTP to exfiltrate dataUpload stolen data, containing confidential information, to the attacker's FTPSpread through removable drivesDownload potentially malicious filesThe Trojan may kill processes related to the following:
RegistrySystem restoreMsconfigCommand promptTask managerLast update 28 February 2015