This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects Infostealer.Napolar activity on compromised machine.
When the Trojan is executed, it creates the following directory:
C:\Documents and Settings\All Users\Application Data\SlrPlugins\
The Trojan may create the following files:
C:\Documents and Settings\All Users\Application Data\tor.bin
C:\Documents and Settings\All Users\Application Data\torrc
The Trojan copies itself to the following path so that it runs every time Windows starts:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\lsass.exe
Note: This file is hidden through API hooking
The Trojan may create the following named pipe:
The Trojan opens a back door, and connects to port 80 on the following domain:
The Trojan may steal the following information and send it to the remote server:
The Trojan may perform the following actions:
Inject malicious code into new processes to track them and hide itself
Steal confidential information from within a browser
Open a browser and load a web page defined by the attacker
Run a Tor service
Download and execute additional malware
Note: The Trojan is heavily packed and can avoid analysis.
- Various Windows platforms