Modified by: Rika Joi Gregorio
ALIASES:

PWS:Win32/Fareit.O (Microsoft), Trojan-PSW.Win32.Tepfer.cqwk (Kaspersky), Win32/PSW.Fareit.A trojan (Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

Tamaño del archivo 147,456 bytes
Tipo de archivo EXE
Residente en memoria No
Fecha de recepción de las muestras iniciales 06 Dec 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %User Profile%\%Application Data%\Microsoft\Address Book\winxp.wab

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • %User Profile%\Application Data\Microsoft\Address Book
  • %User Profile%\Application Data\{random folder name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
{Random}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
(Default) = %User Profile%\Application Data\Microsoft\Address Book\winxp.wab

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\Application Data\{random folder name}\{random}.exe"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\explorer.exe = "%WINDOWS%\explorer.exe:*:Enabled:Windows Explorer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
13575:UDP = "13575:UDP:*:Enabled:UDP 13575"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
11101:TCP = "11101:TCP:*:Enabled:TCP 11101"

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

  • http://{BLOCKED}ng.{BLOCKED}n.de/DFJ.exe
  • http://{BLOCKED}b.com/WtQ.exe
  • http://{BLOCKED}kartemitkreditrahmen.de/7MT.exe

It saves the files it downloads using the following names:

  • %User Profile%\Application Data\{random folder name}\{random}.exe
  • %User Profile%\Application Data\Roaming\{random folder name}\{random}.exe
  • %User Temp%\{random digits}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This Trojan deletes itself after execution.