Home / malwarePDF  

PWS:Win32/Fareit


First posted on 28 February 2012.
Source: Microsoft

Aliases :

PWS:Win32/Fareit is also known as W32/Suspicious_Gen2.LQDGT (Norman), Trojan.Agent2!ChXpWmXSFdU (VirusBuster), Trojan horse PSW.Agent.AMDQ (AVG), TR/Spy.36352.84 (Avira), Trojan.Heur.DP.cCW@ayhvbjo (BitDefender), Trojan.Packed.21594 (Dr.Web), Trojan.Win32.Agent2.dlvm (Kaspersky), Trj/Lukicsel.A (Panda).

Explanation :

PWS:Win32/Fareit is a family of trojans that steals sensitive information from the affected user's computer and sends it to a remote attacker.


Top

PWS:Win32/Fareit is a family of trojans that steals sensitive information from the affected user's computer and sends it to a remote attacker.



Installation

PWS:Win32/Fareit is usually installed to a particular location by other malware, and runs from this location.

For example, Backdoor:Win32/Cycbot installs it to %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp (for example, %ProgramFiles%\lp\008a\7.tmp), while Rogue:Win32/FakeScanti installs it to %AppData%\dwme.exe and %temp%\dwme.exe, or %AppData%\svhostu.exe and %temp%\svhostu.exe.

When run, it creates a registry entry such as the following:

In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: <guid> (for example, {FF72229E-611D-4FD5-A025-00C933DAA429})

It may also store information under the registry value HKCU\Software\WinRAR\Client Hash, or in the following file:

%temp%\Client Hash

Some variants delete themselves once they have finished running.



Payload

Steals sensitive information

The malware attempts to retrieve stored website passwords from browsers including Chrome, Firefox, Internet Explorer, and Opera.

It also attempts to steal stored account information, such as server names, port numbers, login IDs and passwords from the following FTP clients or cloud storage programs, if these are installed:

  • 32bit FTP
  • 3D FTP
  • ALFTP
  • BitKinex
  • Blaze FTP
  • BulletProof FTP
  • ClassicFTP
  • Coffee Cup FTP
  • Core FTP
  • CuteFTP
  • Direct FTP
  • Easy FTP
  • ExpanDrive
  • FFFTP
  • FTP++
  • FTP Client
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP Now
  • FTP Rush
  • FTPCommander
  • FTP Voyager
  • Far FTP
  • FileZilla
  • FlashFxp
  • FlingFTP
  • Free FTP
  • Frigate FTP
  • LeapFTP
  • Leech FTP
  • NetDrvie
  • Opus
  • Robo FTP
  • SecureFX
  • SmartFTP
  • Total Commander
  • TurboFTP
  • UltraFXP
  • WS_FTP
  • Web Site Publisher
  • WebDrive
  • WinSCP
  • Windows Commander
  • Wise-FTP by AceBit


It then posts all of this information to a remote server. Examples of servers contacted by the malware
include:

  • 178.17.165.42
  • 178.18.243.211
  • 178.238.228.86
  • 46.108.225.50
  • 46.28.107.13
  • 95.143.35.118
  • bingtobing.com
  • domnewsweetnew12312d.ru
  • fnijatodn.cz.cc
  • fokanal.cz.cc
  • f<removed>kingav.com
  • f<removed>kingavast.com
  • gointopka.com
  • klamur.co.cc
  • onlinetumb.com
  • ourdatatransfers.com
  • piwalyzocyluz.com
  • repo-sys-online.com
  • retrydomain.com
  • safaldi.com
  • sceihfub.cz.cc
  • sumatevebat.com
  • teleinero.com
  • TRANSERSDATAFORME.COM
  • winusing.com


Downloads and executes arbitrary files

Some samples of PWS:Win32/Fareit have been observed downloading an additional file, saving it to the %temp% directory, and then executing it. At the time of publishing, these files were variants of PWS:Win32/Zbot.



Analysis by David Wood & Michael Johnson

Last update 28 February 2012

 

TOP