Win32/Napolar is spread in Facebook messages that look like image files. The name and icon of the file are designed to lure you into opening it. It can look like the following:
It runs every time your PC starts by copying itself to <start menu>\Programs\Startup. The file name is uses varies and can be either lsass.exe or a random name based on your PC's GUID, for example c4277adb-eba1-4da4-fe3c-acd4c4277adb.exe. It hides this file using its rootkit functionality.
Note that a legitimate Windows file also named lsass.exe exists by default in a different folder.
Win32/Napolar stops running if it’s debugged. It also uses multiple anti-debugging tricks, including:
- Using a malformed section name that can crash Ollydbg
- Blocking debugger remote attaching
It injects itself into other processes and hooks the following user-mode rootkit and network traffic-monitoring APIs:
Win32/Napolar uses its rootkit functionality to block changes to the following registry key paths:
Microsoft\Active Setup\Installed Components
It creates a folder under %APPDATA% for storing its plugins. The folder can be called SlrPlugins or use a random name based on your PC's GUID, for example c4277adb-eba1-4da4-fe3c-acd4c4277adb.
Win32/Napolar can download and runs files, use your PC to do DDoS attacks, steal your user names and password, and serve as a SOCKS proxy.
Downloads and runs files
The troan injects its code into explorer.exe and tries to connect to a C&C server to report infection and retrieve commands. We have seen Win32/Napolar connect to:
The following information is reported:
- The current user name signed in on your PC
- Your machine name
Depending on the commands it receives, Win32/Napolar may then:
- Download and run files, including other malware
- Run DDoS attacks
- Serve as a SOCKS proxy
We have seen Win32/Napolar download the following threats:
Steals your sensitive information
Win32/Napolar also monitors network traffics and records your user names and passwords for
Analysis by Shawn Wang