Analysis by: Anthony Joe Melgarejo
ALIASES:

Infostealer (McAfee), TR/Kazy.105874 (Antivir)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Canal de infección Downloaded from the Internet, Dropped by other malware

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not drop any other file.

It does not have any downloading capability.

  TECHNICAL DETAILS

Tamaño del archivo 159744 bytes
Tipo de archivo EXE
Residente en memoria Yes
Fecha de recepción de las muestras iniciales 07 Nov 2012
Carga útil Steals information

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Dropping Routine

This spyware does not drop any other file.

Download Routine

This spyware does not have any downloading capability.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}0.{BLOCKED}6.23.100:8080/asp/intro.php
  • http://{BLOCKED}1.{BLOCKED}.235.35:8080/asp/intro.php
  • http://{BLOCKED}9.{BLOCKED}0.221.6:8080/asp/intro.php
  • http://{BLOCKED}0.{BLOCKED}9.13.84:8080/asp/intro.php
  • http://{BLOCKED}1.{BLOCKED}1.168.98:8080/asp/intro.php
  • http://{BLOCKED}0.{BLOCKED}5.150.72:8080/asp/intro.php
  • http://{BLOCKED}9.{BLOCKED}5.134.110:8080/asp/intro.php
  • http://{BLOCKED}3.{BLOCKED}8.208.55:8080/asp/intro.php
  • http://{BLOCKED}2.{BLOCKED}0.221.186:8080/asp/intro.php
  • http://{BLOCKED}2.{BLOCKED}7.17.180:8080/asp/intro.php
  • http://{BLOCKED}4.{BLOCKED}2.100.108:8080/asp/intro.php
  • http://{BLOCKED}3.{BLOCKED}2.238.18:8080/asp/intro.php
  • http://{BLOCKED}3.{BLOCKED}6.208.180:8080/asp/intro.php
  • http://{BLOCKED}0.{BLOCKED}4.58.250:8080/asp/intro.php
  • http://{BLOCKED}2.{BLOCKED}3.189.180:8080/asp/intro.php
  • http://{BLOCKED}3.{BLOCKED}3.98.131:8080/asp/intro.php
  • http://{BLOCKE}D2.{BLOCKED}8.49.112:8080/asp/intro.php
  • http://{BLOCKED}3.{BLOCKED}0.65.77:8080/asp/intro.php
  • http://{BLOCKED}0.{BLOCKED}8.18.158:8080/asp/intro.php
  • http://{BLOCKED}3.{BLOCKED}2.252.26:8080/asp/intro.php
  • http://{BLOCKED}1.{BLOCKED}3.171.212:8080/asp/intro.php

NOTES:

It attempts to steal stored account information of the following installed FTP clients or File Managers:

  • 32Bit Ftp
  • 3D-FTP
  • BlazeFtp
  • BulletProof FTP
  • Cute FTP
  • CyberDuck
  • Deluxe FTP
  • Easy FTP
  • Estsoft FTP
  • FireFTP
  • FTP CONTROL
  • FTP Commander
  • FTP Explorer
  • FTP Navigator
  • FTP++
  • FTPCON
  • FTPGetter
  • FTPNow
  • FTPRush
  • FTPShell
  • FTPWare COREFTP
  • Far FTP
  • FreshFTP
  • GlobalSCAPE CuteFTP 6 Home
  • GlobalSCAPE CuteFTP 6 Professional
  • GlobalSCAPE CuteFTP 7 Home
  • GlobalSCAPE CuteFTP 7 Professional
  • GlobalSCAPE CuteFTP 8 Home
  • GlobalSCAPE CuteFTP 8 Professional
  • GoFTP
  • NovaFTP
  • Ipswitch WS_FTP
  • LeapWare LeapFTP
  • LeechFTP
  • LinasFTP
  • MAS-Soft FTP
  • NCH Software ClassicFTP
  • Nico Mak Computing WinZip FTP
  • Robo-FTP 3.7
  • SmartFTP
  • SoftX.org FTPClient
  • Sota FFFTP
  • Staff-FTP
  • TurboFTP
  • WinFTP

This spyware uses the following list of user names and passwords to access password-protected locations where the aforementioned information are stored:

  • password
  • phpbb
  • qwerty
  • jesus
  • abc123
  • letmein
  • test
  • love
  • password1
  • hello
  • monkey
  • dragon
  • trustno1
  • iloveyou
  • shadow
  • christ
  • sunshine
  • master
  • computer
  • princess
  • tigger
  • football
  • angel
  • jesus1
  • whatever
  • freedom
  • killer
  • asdf
  • soccer
  • superman
  • michael
  • cheese
  • internet
  • joshua
  • fuckyou
  • blessed
  • baseball
  • starwars
  • purple
  • jordan
  • faith
  • summer
  • ashley
  • buster
  • heaven
  • pepper
  • hunter
  • lovely
  • andrew
  • thomas
  • angels
  • charlie
  • daniel
  • jennifer
  • single
  • hannah
  • qazwsx
  • happy
  • matrix
  • pass
  • aaaaaa
  • amanda
  • nothing
  • ginger
  • mother
  • snoopy
  • jessica
  • welcome
  • pokemon
  • iloveyou1
  • mustang
  • helpme
  • justin
  • jasmine
  • orange
  • testing
  • apple
  • michelle
  • peace
  • secret
  • grace
  • william
  • iloveyou2
  • nicole
  • muffin
  • gateway
  • fuckyou1
  • asshole
  • hahaha
  • poop
  • blessing
  • blahblah
  • myspace1
  • matthew
  • canada
  • silver
  • robert
  • forever
  • asdfgh
  • rachel
  • rainbow
  • guitar
  • peanut
  • batman
  • cookie
  • bailey
  • soccer1
  • mickey
  • biteme
  • hello1
  • eminem
  • dakota
  • samantha
  • compaq
  • diamond
  • taylor
  • forum
  • john316
  • richard
  • blink182
  • peaches
  • cool
  • flower
  • scooter
  • banana
  • james
  • asdfasdf
  • victory
  • london
  • 123qwe
  • startrek
  • george
  • winner
  • maggie
  • trinity
  • online
  • 123abc
  • chicken
  • junior
  • chris
  • passw0rd
  • austin
  • sparky
  • admin
  • merlin
  • google
  • friends
  • hope
  • shalom
  • nintendo
  • looking
  • harley
  • smokey
  • joseph
  • lucky
  • digital
  • thunder
  • spirit
  • bandit
  • enter
  • anthony
  • corvette
  • hockey
  • power
  • benjamin
  • iloveyou!
  • 1q2w3e
  • viper
  • genesis
  • knight
  • qwerty1
  • creative
  • foobar
  • adidas
  • rotimi
  • slayer
  • wisdom
  • praise
  • zxcvbnm
  • samuel
  • mike
  • dallas
  • green
  • testtest
  • maverick
  • onelove
  • david
  • mylove
  • church
  • friend
  • god
  • destiny
  • none
  • microsoft
  • bubbles
  • cocacola
  • jordan23
  • ilovegod
  • football1
  • loving
  • nathan
  • emmanuel
  • scooby
  • fuckoff
  • sammy
  • maxwell
  • jason
  • john
  • 1q2w3e4r
  • baby
  • red123
  • blabla
  • prince
  • qwert
  • chelsea
  • angel1
  • hardcore
  • dexter
  • saved
  • hallo
  • jasper
  • danielle
  • kitten
  • cassie
  • stella
  • prayer
  • hotdog
  • windows
  • mustdie
  • gates
  • billgates
  • ghbdtn
  • gfhjkm

It gathers the following account information from any of the aforementioned FTP clients or File Managers:

  • Password
  • Port Number
  • Server Name
  • User Name

It also attempts to steal stored email credentials:

  • Outlook
  • Windows Live Mail
  • Windows Mail
  • Pocomail
  • IncrediMail
  • BatMail
  • Mozilla Thunderbird

This spyware attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera Browser
  • Flock Browser
  • FastStone Browser

Other Details

It does not have rootkit capabilities.

It does not exploit any vulnerabilit

  SOLUTION

Motor de exploración mínimo 9.300
Primer archivo de patrones de VSAPI 9.514.04
Primera fecha de publicación de patrones de VSAPI 08 Nov 2012
Versión de patrones OPR de VSAPI 9.515.00
Fecha de publicación de patrones OPR de VSAPI 09 Nov 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as TSPY_FAREIT.AJ

Step 3

Terminate a process file/s detected as TSPY_FAREIT.AJ

[ Learn More ]

*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.

Step 4

Scan your computer with your Trend Micro product to delete files detected as TSPY_FAREIT.AJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.