Napolar.A copies itself to <start menu>\Programs\Startup\lsass.exe to make sure it runs every time you start your PC.It hides this file using a rootkit technique so you might not be able to see it. Note that a legitimate file also named lsass.exe exists by default in <system folder>.
The trojan exits immediately if it detects that it is running under a debugger.
Downloads other malware
Napolar.A runs in explorer.exe and tries to connect to a command and control server to report infection and get instructions. We have seen it connect to the server www.xzy25.com.
It sends information about your PC, including:
- Current user name
- Machine name
Napolar.A might receive commands to:
- Download malware, including Worm:Win32/Dorpiex.B and Trojan:Win32/Vicenor.gen!B
- Download and run files related to a Tor service, for example upload.tehran98.com/<removed>/uploads/a07fb3d552db59ef1.png
- Inject data into specific network traffic
Napolar.A injects itself into other processes and can hook the following APIs:
The trojan might run a Tor service to hide its network trace using the following files:
Analysis by Shawn Wang