TSPY_FAREIT.QB

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be downloaded by other malware/grayware/spyware from remote sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It connects to certain websites to send and receive information.

Arrival Details

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It may be downloaded by other malware/grayware/spyware from remote sites.

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{random values}"

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}lbowling.com/Ff1.exe
• http://{BLOCKED}LESS NS.COM/1DosLi.exe
• http://{BLOCKED}healingfl.org/cudpB5.exe
• http://{BLOCKED}art.com/zD6.exe

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This spyware connects to the following website to send and receive information:

• http://{BLOCKED}-mail.com:8080/ponyb/gate.php
• http://mail.{BLOCKED}im.com:8080/ponyb/gate.php
• http://{BLOCKED}ringsvacationhomerentals.com/ponyb/gate.php
• http://{BLOCKED}ringsvacationrentalshomes.com/ponyb/gate.php