You have been re-routed to the Trojan:Win32/Napolar.A write up because Trojan%3aWin32%2fNapolar.A has been renamed to Trojan:Win32/Napolar.A


Microsoft security software detects and removes this threat.

This trojan can download other malware, including Worm:Win32/Dorpiex.B and the bitcoin-minerTrojan:Win32/Vicenor.gen!B.

It can be installed on your PC when you click on a link that is sent to you on social media.

Find out ways that malware can get on your PC.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Napolar.A copies itself to <start menu>\Programs\Startup\lsass.exe to make sure it runs every time you start your PC.It hides this file using a rootkit technique so you might not be able to see it. Note that a legitimate file also named lsass.exe exists by default in <system folder>.

The trojan exits immediately if it detects that it is running under a debugger.


Downloads other malware

Napolar.A runs in explorer.exe and tries to connect to a command and control server to report infection and get instructions. We have seen it connect to the server

It sends information about your PC, including:

  • Current user name
  • Machine name

Napolar.A might receive commands to:

  • Download malware, including Worm:Win32/Dorpiex.B and Trojan:Win32/Vicenor.gen!B
  • Download and run files related to a Tor service, for example<removed>/uploads/a07fb3d552db59ef1.png
  • Inject data into specific network traffic
Additional information

Napolar.A injects itself into other processes and can hook the following APIs:

  • Ntdll!NtQueryDirectorFile
  • Ntdll!NtResumeThread
  • Ntdll!NtSetValueKey
  • Ntdll!DbgUiRemoteBreakin
  • Ws2_32.dll!send

The trojan might run a Tor service to hide its network trace using the following files:

Analysis by Shawn Wang


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition: 1.155.1447.0
Latest detected by definition: 1.199.519.0 and higher
First detected on: Aug 03, 2013
This entry was first published on: Aug 03, 2013
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases