TSPY_FAREIT.UHBADEY

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible. It deletes itself after execution.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops and executes the following files:

• %User Temp%\{random numbers}.bat - this will delete the initially executed copy

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan Spy adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\WinRAR
HWID = {hex values}

Download Routine

This Trojan Spy accesses the following websites to download files:

• http://{BLOCKED}erson.cf/office/bass/shit.exe

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan Spy attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3D-FTP
• AceBIT
• Adobe
• BitKinex
• BlazeFtp
• Bullet Proof FTP
• CoffeeCup Software
• Core FTP
• Cryer WebSitePublisher
• CuteFTP
• CuteFTP Lite
• CuteFTP Pro
• Cyberduck
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• FTP Commander
• FTP Explorer
• FTP Navigator
• FTP Now
• FTPGetter
• FTPRush
• FTPShell
• Far Manager
• FastTrack FTP
• FileZilla
• FireFTP
• FlashFXP 3
• FlashFXP 4
• FreshFTP
• Frigate3
• GPSoftware Directory Opus
• Ghisler Total Commander
• Global Downloader
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GoFTP
• INSoftware NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP
• MAS-Soft FTPInfo
• MS IE FTP
• Martin Prikryl WinSCP
• My FTP
• NCH Software ClassicFTP
• NCH Software Fling
• NetDrive
• NetSarang
• NexusFile
• Nico Mak Computing WinZip
• Notepad++ NppFTP
• Odin Secure FTP Expert
• Opera Software
• RhinoSoft FTP Voyager
• Robo-FTP 3.7
• SFTP
• SimonTatham PuTTY
• SmartFTP
• SoftX FTP Client
• Sota FFFTP
• South River Technologies WebDrive
• Staff-FTP
• TurboFTP
• UltraFXP
• VanDyke SecureFX
• Visicom Media
• WinFtp Client

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Username
• Password
• User ID
• Host Address
• Directory List
• Port Number
• Terminal Type
• Server Name
• Server Type

It attempts to steal stored email credentials from the following:

• Microsoft Windows Live Mail
• Poco Systems Pocomail
• IncrediMail
• Microsoft Windows Mail
• Becky! Internet Mail - RimArts Inc.
• The Bat! BatMail
• Microsoft Outlook
• Thunderbird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• ChromePlus
• Chromium
• Comodo
• Epic
• FastStone Browser
• Flock
• Google Chrome
• Internet Explorer
• K-Meleon
• MapleStudio ChromePlus
• Mozilla Firefox
• Mozilla SeaMonkey
• Nichrome
• Opera
• RockMelt
• Yandex

It uses the following list of user names and passwords to access password-protected locations where the mentioned information is stored:

• 000000
• 1111
• 11111
• 111111
• 123123
• 123321
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 123abc
• 123qwe
• 1q2w3e
• 654321
• 666666
• 7777
• 7777777
• aaaaaa
• abc123
• adidas
• admin
• amanda
• andrew
• angel
• angels
• anthony
• apple
• asdf
• asdfasdf
• asdfgh
• ashley
• asshole
• austin
• bailey
• banana
• bandit
• baseball
• batman
• benjamin
• biteme
• blahblah
• blessed
• blessing
• blink182
• buster
• canada
• charlie
• cheese
• chicken
• chris
• christ
• compaq
• computer
• cookie
• cool
• corvette
• creative
• dakota
• daniel
• diamond
• digital
• dragon
• eminem
• enter
• faith
• flower
• foobar
• football
• forever
• forum
• freedom
• friends
• fuckyou
• fuckyou1
• gateway
• genesis
• george
• ginger
• google
• grace
• guitar
• hahaha
• hannah
• happy
• harley
• heaven
• hello
• hello1
• helpme
• hockey
• hope
• hunter
• iloveyou
• iloveyou!
• iloveyou1
• iloveyou2
• internet
• james
• jasmine
• jennifer
• jessica
• jesus
• jesus1
• john316
• jordan
• joseph
• joshua
• junior
• justin
• killer
• knight
• letmein
• london
• looking
• love
• lovely
• lucky
• maggie
• master
• matrix
• matthew
• merlin
• michael
• michelle
• mickey
• monkey
• mother
• muffin
• mustang
• myspace1
• nicole
• nintendo
• nothing
• online
• orange
• pass
• passw0rd
• password
• password1
• peace
• peaches
• peanut
• pepper
• phpbb
• pokemon
• poop
• power
• princess
• purple
• qazwsx
• qwerty
• qwerty1
• rachel
• rainbow
• richard
• robert
• rotimi
• samantha
• scooter
• secret
• shadow
• shalom
• silver
• single
• slayer
• smokey
• snoopy
• soccer
• soccer1
• sparky
• spirit
• startrek
• starwars
• summer
• sunshine
• superman
• taylor
• test
• testing
• thomas
• thunder
• tigger
• trinity
• trustno1
• victory
• viper
• welcome
• whatever
• william
• winner
• wisdom

Other Details

This Trojan Spy connects to the following website to send and receive information:

• http://{BLOCKED}erson.cf/office/bass/gate.php

However, as of this writing, the said sites are inaccessible.

It deletes itself after execution.