Home / malware PWS:Win32/Fareit.gen!C
First posted on 28 February 2012.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/Fareit.gen!C.
Explanation :
PWS:Win32/Fareit.gen!C is a generic detection for a trojan that steals sensitive information from the affected user's computer and sends it to a remote attacker.
Top
PWS:Win32/Fareit.gen!C is a generic detection for a trojan that steals sensitive information from the affected user's computer and sends it to a remote attacker.
Installation
PWS:Win32/Fareit.gen!C is usually installed to a particular location by other malware, and runs from this location.
For example, Backdoor:Win32/Cycbot installs it to %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp (for example, %ProgramFiles%\lp\008a\7.tmp), while Rogue:Win32/FakeScanti installs it to %AppData%\dwme.exe and %temp%\dwme.exe, or %AppData%\svhostu.exe and %temp%\svhostu.exe.
When run, it creates a registry entry such as the following:
In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: <guid> (for example, {FF72229E-611D-4FD5-A025-00C933DAA429})
It may also store information under the registry value HKCU\Software\WinRAR\Client Hash, or in the following file:
%temp%\Client Hash
Some variants delete themselves once they have finished running.
Payload
Steals sensitive information
The malware attempts to retrieve stored website passwords from browsers including Chrome, Firefox, Internet Explorer, and Opera.
It also attempts to steal stored account information, such as server names, port numbers, login IDs and passwords from the following FTP clients or cloud storage programs, if these are installed:
- 32bit FTP
- 3D FTP
- ALFTP
- BitKinex
- Blaze FTP
- BulletProof FTP
- ClassicFTP
- Coffee Cup FTP
- Core FTP
- CuteFTP
- Direct FTP
- Easy FTP
- ExpanDrive
- FFFTP
- FTP++
- FTP Client
- FTP Control
- FTP Explorer
- FTP Navigator
- FTP Now
- FTP Rush
- FTPCommander
- FTP Voyager
- Far FTP
- FileZilla
- FlashFxp
- FlingFTP
- Free FTP
- Frigate FTP
- LeapFTP
- Leech FTP
- NetDrvie
- Opus
- Robo FTP
- SecureFX
- SmartFTP
- Total Commander
- TurboFTP
- UltraFXP
- WS_FTP
- Web Site Publisher
- WebDrive
- WinSCP
- Windows Commander
- Wise-FTP by AceBit
It then posts all of this information to a remote server. Examples of servers contacted by the malware
include:
- 178.17.165.42
- 178.18.243.211
- 178.238.228.86
- 46.108.225.50
- 46.28.107.13
- 95.143.35.118
- bingtobing.com
- domnewsweetnew12312d.ru
- fnijatodn.cz.cc
- fokanal.cz.cc
- f<removed>kingav.com
- f<removed>kingavast.com
- gointopka.com
- klamur.co.cc
- onlinetumb.com
- ourdatatransfers.com
- piwalyzocyluz.com
- repo-sys-online.com
- retrydomain.com
- safaldi.com
- sceihfub.cz.cc
- sumatevebat.com
- teleinero.com
- TRANSERSDATAFORME.COM
- winusing.com
Downloads and executes arbitrary files
Some samples of PWS:Win32/Fareit.gen!C have been observed downloading an additional file, saving it to the %temp% directory, and then executing it. At the time of publishing, these files were variants of PWS:Win32/Zbot.
Analysis by David Wood
Last update 28 February 2012
