Home / malwarePDF  

Win32/Napolar


First posted on 12 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Napolar.

Explanation :

Threat behavior

Installation

Win32/Napolar is spread in Facebook messages that look like image files. The name and icon of the file are designed to lure you into opening it. It can look like the following:



The trojan ensures it runs every time your PC starts by copying itself to <start menu>\Programs\Startup. The file name varies and can be either "lsass.exe" or a random name based on your PC's GUID, for example c4277adb-eba1-4da4-fe3c-acd4c4277adb.exe. It hides this file using its rootkit functionality.

Win32/Napolar stops running if it's debugged. It also uses multiple anti-debugging tricks, including:

  • Using a malformed section name that can crash Ollydbg
  • Self-debugging
  • Blocking debugger remote attaching


It injects itself into other processes and hooks the following user-mode rootkit and network traffic-monitoring APIs:

  • Ntdll!NtQueryDirectorFile
  • Ntdll!NtResumeThread
  • Ntdll!NtSetValueKey
  • Ntdll!DbgUiRemoteBreakin
  • Ws2_32.dll!send


Win32/Napolar uses its rootkit functionality to block changes to the following registry key paths:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components


It creates a directory under %APPDATA% for storing its plugins. The folder can be called SlrPlugins or use a random name based on your PC's GUID, for example c4277adb-eba1-4da4-fe3c-acd4c4277adb.

Payload

Win32/Napolar can download and runs files, use your PC to perform DDoS attacks, steal your user names and password, and serve as a SOCKS proxy.

Downloads and runs files

The troan injects its code into explorer.exe and tries to connect to a C&C server to report infection and retrieve commands. We have seen Win32/Napolar connect to:

  • festen.biz
  • www.xzy25.com
  • gotradingcorp.com


The following information is reported:

  • The current user name signed in on your PC
  • Your machine name


Depending on the commands it receives, Win32/Napolar may then:

  • Download and run files, including other malware
  • Perform DDoS attacks
  • Serve as a SOCKS proxy


We have seen Win32/Napolar download the following threats:

  • Worm:Win32/Dorpiex.B
  • Trojan:Win32/Vicenor.gen!B


Steals your sensitive information

Win32/Napolar also monitors network traffics and records your user names and passwords for

  • FTP
  • POP3
  • Websites




Analysis by Shawn Wang

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    <start menu>\Programs\Startup\lsass.exe
    <start menu>\Programs\Startup\<your PC GUID>.exe, for example, c4277adb-eba1-4da4-fe3c-acd4c4277adb.exe

Last update 12 November 2013

 

TOP

Malware :