Padodor is a trojan designed to steal credit card numbers, login credentials, and other sensitive data. It infects machines in several ways: drive-by downloads, malicious email attachments, external media, fake updates, programs posing as fake virus removal tools, and malicious documents spread on peer-to-peer file sharing networks. The trojan copies itself to the Windows System folder with a random 8-character filename and a .exe extension. The naming convention is either 1 uppercase letter followed by 7 lowercase letters, such as Toizjrsu.exe, or 1 uppercase letter followed by 5 lowercase letters and the number 32, such as Toizjr32.exe. The trojan also drops a DLL file to the Windows System folder with a random 8-character filename in the same format. The DLL file is the starter for the executable file and contains the name of the dropped trojan file. The DLL is loaded every time Windows starts and it activates the trojan's file. It creates a mutex and checks for it at startup to prevent loading multiple copies of itself to the memory. When the trojan is active, it searches for particular text strings in Internet Explorer. If any are found, it tracks the credentials entered by the user and saves it to a DLL file in the Windows System folder. Padodor also has the ability to display a fake webform requesting credit card information. The collected data is saved to a separate DLL file in the Windows System folder. The trojan creates an HTML file where it copies the stolen data, opens it with Internet Explorer, and submits it to a randomly selected website. It then creates an HTML file with a special script and browses internet cache files. If infected, users should run an anti-malware program and clean the Windows registry to remove the trojan from the system.

Technical Details

  • F-Secure provides technical details on the Padodor trojan, available here.