TSPY_FAREIT.YYSNO

This spyware may be dropped by other malware.

As of this writing, the said sites are inaccessible.

However, as of this writing, the said sites are inaccessible. It deletes itself after execution.

Arrival Details

This spyware may be dropped by the following malware:

• W2KM_FAREIT.BK

Installation

This spyware drops and executes the following files:

• %User Temp%\{random numbers}.bat ← used to delete itself - deleted afterwards

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{GUID}"

HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{hex value}"

HKEY_CURRENT_USER\Software\WinRAR
{random value} = "{true/false}"

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}i.com/system/logs/m1.exe
• http://{BLOCKED}d.{BLOCKED}rt.com/system/logs/m1.exe
• http://{BLOCKED}rt.{BLOCKED}formatique.com/system/logs/m1.exe

It saves the files it downloads using the following names:

• %User Temp%\{random numbers}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

As of this writing, the said sites are inaccessible.

Information Theft

This spyware attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3D-FTP
• AceBit
• Adobe
• BulletProof FTP
• CoffeeCup Software
• Cryer WebSitePublisher
• Cyberduck
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• Far
• Far2
• Far Manager
• FastTrackFTP
• FileZilla
• fireFTP
• FlashFXP
• FlashFXP 3
• FlashFXP 4
• FlashPeak BlazeFtp
• FreshFTP
• Frigate3
• FTP Commander
• FTP Navigator
• FTP CONTROL
• FTP Explorer
• FTP Now
• FTP++
• FTPGetter
• FTP Rush
• FTPShell
• FTPWare COREFTP
• Ghisler Total Commander
• Ghisler Windows Commander
• GlobalDownloader
• GlobalSCAPE CuteFTP
• GlobalSCAPE CuteFTP Pro
• GlobalSCAPE CuteFTP Lite
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP 9
• GoFTP
• GPSoftware Directory Opus
• INSoftware NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeachFTP
• LinasFTP
• Martin Prikryl
• MAS-Soft FTPInfo
• Maxprog FTP Disk
• My FTP
• NCH Software ClassicFTP
• NCH Software Fling
• NetDrive
• NetSarang
• NexusFile
• Nico Mak Computing WinZip FTP
• Notepad++ NppFTP
• Odin
• SimonTatham PuTTY
• RhinoSoft FTPVoyager
• Robo-FTP 3.7
• SmartFTP
• SoftX FTPClient
• Sota FFFTP
• South River Technologies WebDrive
• Staff-FTP
• TurboFTP
• UltraFXP
• VanDyke SecureFX
• Visicom Media
• WinFTP

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Username
• Password
• User ID
• Host Address
• Directory List
• Port Number
• Terminal Type
• Server Name
• Server Type

It attempts to steal stored email credentials from the following:

• Windows Live Mail
• Windows Mail
• RimArts Internet Mail
• Poco Systems Pocomail
• IncrediMail
• The Bat! Mail
• Microsoft Outlook
• Mozilla ThunderBird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Opera
• Internet Explorer
• FastStoneBrowser
• Epic
• ChromePlus
• Bromium
• Nichrome
• Chromium
• Comodo
• Flock
• Google Chrome
• K-Meleon
• MappleStudio ChromePlus
• RockMelt
• Mozilla Firefox
• Mozilla Seamonkey
• Yandex

It uses the following list of user names and passwords to access password-protected locations where the mentioned information is stored:

• samantha
• michelle
• david
• eminem
• scooter
• asdfasdf
• sammy
• baby
• diamond
• maxwell
• 55555
• justin
• james
• chicken
• danielle
• iloveyou2
• fuckoff
• prince
• junior
• rainbow
• 112233
• fuckyou1
• 1
• nintendo
• peanut
• none
• church
• bubbles
• robert
• 222222
• destiny
• loving
• gfhjkm
• mylove
• jasper
• hallo
• 123321
• cocacola
• helpme
• nicole
• guitar
• billgates
• looking
• scooby
• joseph
• genesis
• forum
• emmanuel
• cassie
• victory
• passw0rd
• foobar
• ilovegod
• nathan
• blabla
• digital
• peaches
• football1
• 11111111
• power
• thunder
• gateway
• iloveyou!
• football
• tigger
• corvette
• angel
• killer
• creative
• 123456789
• google
• zxcvbnm
• startrek
• ashley
• cheese
• a
• sunshine
• christ
• 000000
• soccer
• qwerty1
• friend
• summer
• 1234567
• merlin
• phpbb
• 12345678
• jordan
• saved
• dexter
• viper
• winner
• sparky
• windows
• 123abc
• lucky
• anthony
• jesus
• ghbdtn
• admin
• hotdog
• baseball
• password1
• dragon
• trustno1
• jason
• internet
• mustdie
• john
• letmein
• 123
• mike
• knight
• jordan23
• abc123
• red123
• praise
• freedom
• jesus1
• 12345
• london
• computer
• microsoft
• muffin
• qwert
• mother
• master
• 111111
• qazwsx
• samuel
• canada
• slayer
• rachel
• onelove
• qwerty
• prayer
• iloveyou1
• whatever
• god
• password
• blessing
• snoopy
• 1q2w3e4r
• cookie
• 11111
• chelsea
• pokemon
• hahaha
• aaaaaa
• hardcore
• shadow
• welcome
• mustang
• 654321
• bailey
• blahblah
• matrix
• jessica
• stella
• benjamin
• testing
• secret
• trinity
• richard
• peace
• shalom
• monkey
• iloveyou
• thomas
• blink182
• jasmine
• purple
• test
• angels
• grace
• hello
• poop
• blessed
• 1234567890
• heaven
• hunter
• pepper
• john316
• cool
• buster
• andrew
• faith
• ginger
• 7777777
• hockey
• hello1
• angel1
• superman
• enter
• daniel
• 123123
• forever
• nothing
• dakota
• kitten
• asdf
• 1111
• banana
• gates
• flower
• taylor
• lovely
• hannah
• princess
• compaq
• jennifer
• myspace1
• smokey
• matthew
• harley
• rotimi
• fuckyou
• soccer1
• 123456
• single
• joshua
• green
• 123qwe
• starwars
• love
• silver
• austin
• michael
• amanda
• 1234
• charlie
• bandit
• chris
• happy
• hope
• maggie
• maverick
• online
• spirit
• george
• friends
• dallas
• adidas
• 1q2w3e
• 7777
• orange
• testtest
• asshole
• apple
• biteme
• 666666
• william
• mickey
• asdfgh
• wisdom
• batman
• pass

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}tonsof.ru/gate.php
• http://{BLOCKED}arren.ru/gate.php
• http://{BLOCKED}ransand.ru/gate.php

Other Details

However, as of this writing, the said sites are inaccessible.

It deletes itself after execution.

NOTES:

It attempts to get stored account information from application which uses the following GUID:

• {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
• {11C1D741-A95B-11d2-8A80-0080ADB32FF4}

It has the the capability to steal information from various Bitcoin wallets. It searches and attempts to extract information from the following files:

• wallet.dat (ProtoShares)
• wallet.dat (Craftcoin)

This spyware attempts to steal account information used in Remote Desktop connection.