TSPY_FAREIT.ADU

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware executes then deletes itself afterward.

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{random value}"

HKEY_CURRENT_USER\Software\WinRAR
{random GUID} = "{random value}"

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{random value}"

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}malta.com/BD8.exe
• http://{BLOCKED}lliez.es/Lw57KzTh.exe
• http://www.{BLOCKED}ubudiyah.ac.id/5b1cgpi.exe

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe - TSPY_ZBOT.SM20

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Information Theft

This spyware attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 3D-FTP
• AceBIT Wise-FTP
• BitKinex
• Bullet Proof FTP
• BulletProof FTP Client
• CoffeeCup FTP
• Cryer Web Site Publisher
• Cyberduck
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• Far
• Far Manager
• Far2
• FileZilla
• FlashFXP
• FlashPeak BlazeFtp
• FreshFTP
• Frigate3
• FTP Commander
• FTP Explorer
• FTP Navigator
• FTP Now
• FTPClient
• FTPCON
• FTPGetter
• FTPRush
• FTPWare COREFTP
• Ghisler Total Commander
• Ghisler Windows Commander
• Global Downloader
• GlobalSCAPE CuteFTP
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP Lite
• GlobalSCAPE CuteFTP Pro
• GoFTP
• GPSoftware Directory Opus
• INSoftware NovaFTP
• Ipswitch
• LeapWare LeapFTP
• LeechFTP
• LinasFTP Site Manager
• Martin Prikryl
• MAS-Soft FTPInfo
• My FTP
• NCH Software Classic FTP
• NetDrive
• NetSarang
• Nico Mak Computing WinZip FTP
• RhinoSoft FTP Voyager
• Robo-FTP 3.7
• Simon Tatham PuTTY
• SiteDesigner
• SmartFTP
• SoftX.org FTPClient
• Sota FFFTP
• South River Technologies WebDrive
• Staff-FTP
• TurboFTP
• UltraFXP
• VanDyke
• Visicom Media AceFTP
• WinFTP

It attempts to steal stored email credentials from the following:

• BatMail
• IncrediMail
• Outlook
• Poco System Pocomail
• RimArts Becky Internet Mail
• Thunderbird
• Windows Live Mail
• Windows Mail

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• ChromePlus
• Chromium
• Epic
• FastStone
• Flock
• Google Chrome
• Internet Explorer
• K-Meleon
• Mozilla Firefox
• Nichrome
• Opera
• RockMelt
• SeaMonkey
• Yandex

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}v.social-neos.eu:8080/ponyb/gate.php
• http://cloud.{BLOCKED}l-neos.eu:8080/ponyb/gate.php
• http://{BLOCKED}n-neos.eu:8080/ponyb/gate.php
• http://quest.{BLOCKED}l-neos.eu:8080/ponyb/gate.php

NOTES:

This spyware uses the following list of user names and passwords to access password-protected locations where the mentioned information is stored:

• 123abc
• 123qwe
• 1q2w3e
• 1q2w3e4r
• aaaaaa
• abc123
• adidas
• admin
• amanda
• andrew
• angel
• angel1
• angels
• anthony
• apple
• asdf
• asdfasdf
• asdfgh
• ashley
• asshole
• assword
• austin
• baby
• bailey
• banana
• bandit
• baseball
• batman
• benjamin
• billgates
• biteme
• blabla
• blahblah
• blessed
• blessing
• blink182
• bubbles
• buster
• canada
• cassie
• charlie
• cheese
• chelsea
• chicken
• chris
• christ
• church
• cocacola
• compaq
• computer
• cookie
• cool
• corvette
• creative
• cryptimplus
• dakota
• dallas
• daniel
• danielle
• david
• destiny
• dexter
• diamond
• digital
• dragon
• eminem
• emmanuel
• enter
• faith
• flower
• foobar
• football
• football1
• forever
• forum
• freedom
• friend
• friends
• fuckoff
• fuckyou
• fuckyou1
• gates
• gateway
• genesis
• george
• gfhjkm
• ghbdtn
• ginger
• god
• google
• grace
• green
• guitar
• hahaha
• hallo
• hannah
• happy
• hardcore
• harley
• heaven
• hello
• hello1
• helpme
• hockey
• hope
• hotdog
• hunter
• ilovegod
• iloveyou
• iloveyou!
• iloveyou1
• iloveyou2
• internet
• james
• jasmine
• jason
• jasper
• jennifer
• jessica
• jesus
• jesus1
• john
• john316
• jordan
• jordan23
• joseph
• joshua
• junior
• justin
• killer
• kitten
• knight
• letmein
• london
• looking
• love
• lovely
• loving
• lucky
• maggie
• master
• matrix
• matthew
• maverick
• maxwell
• merlin
• michael
• michelle
• mickey
• microsoft
• mike
• monkey
• mother
• muffin
• mustang
• mustdie
• mylove
• myspace1
• nathan
• nicole
• nintendo
• none
• nothing
• onelove
• online
• orange
• pass
• passw0rd
• password1
• peace
• peaches
• peanut
• pepper
• phpbb
• pokemon
• poop
• power
• praise
• prayer
• prince
• princess
• purple
• qazwsx
• qwert
• qwerty
• qwerty1
• rachel
• rainbow
• red123
• richard
• robert
• rotimi
• samantha
• sammy
• samuel
• saved
• scooby
• scooter
• secret
• shadow
• shalom
• silver
• single
• slayer
• smokey
• snoopy
• soccer
• soccer1
• sparky
• spirit
• startrek
• starwars
• stella
• summer
• sunshine
• superman
• taylor
• test
• testing
• testtest
• thomas
• thunder
• tigger
• trinity
• trustno1
• victory
• viper
• welcome
• whatever
• william
• windows
• winner
• wisdom
• zxcvbnm