Win32/Napolar

Installation

Win32/Napolar is spread in Facebook messages that look like image files. The name and icon of the file are designed to lure you into opening it. It can look like the following:

It runs every time your PC starts by copying itself to <start menu>\Programs\Startup. The file name is uses varies and can be either lsass.exe or a random name based on your PC's GUID, for example c4277adb-eba1-4da4-fe3c-acd4c4277adb.exe. It hides this file using its rootkit functionality.

Note that a legitimate Windows file also named lsass.exe exists by default in a different folder.

Win32/Napolar stops running if it’s debugged. It also uses multiple anti-debugging tricks, including:

• Using a malformed section name that can crash Ollydbg
• Self-debugging
• Blocking debugger remote attaching

It injects itself into other processes and hooks the following user-mode rootkit and network traffic-monitoring APIs:

• Ntdll!NtQueryDirectorFile
• Ntdll!NtResumeThread
• Ntdll!NtSetValueKey
• Ntdll!DbgUiRemoteBreakin
• Ws2_32.dll!send

Win32/Napolar uses its rootkit functionality to block changes to the following registry key paths:

• Microsoft\Windows\CurrentVersion\Run
• Microsoft\Windows NT\CurrentVersion\Windows\run
• Microsoft\Windows NT\CurrentVersion\Windows\load
• Microsoft\Windows\CurrentVersion\Policies\Explorer\run
• Microsoft\Windows NT\CurrentVersion\Winlogon
• Microsoft\Active Setup\Installed Components

It creates a folder under %APPDATA% for storing its plugins. The folder can be called SlrPlugins or use a random name based on your PC's GUID, for example c4277adb-eba1-4da4-fe3c-acd4c4277adb.

Payload

Win32/Napolar can download and runs files, use your PC to do DDoS attacks, steal your user names and password, and serve as a SOCKS proxy.

Downloads and runs files

The troan injects its code into explorer.exe and tries to connect to a C&C server to report infection and retrieve commands. We have seen Win32/Napolar connect to:

• festen.biz
• xzy25.com
• gotradingcorp.com

The following information is reported:

• The current user name signed in on your PC
• Your machine name

Depending on the commands it receives, Win32/Napolar may then:

• Download and run files, including other malware
• Run DDoS attacks
• Serve as a SOCKS proxy

We have seen Win32/Napolar download the following threats:

• Worm:Win32/Dorpiex.B
• Trojan:Win32/Vicenor.gen!B

Steals your sensitive information

Win32/Napolar also monitors network traffics and records your user names and passwords for

• FTP
• POP3
• Websites

Analysis by Shawn Wang