FAREIT is a malware family of information stealers used to download other malware such as ZeuS/ZBOT onto infected systems. Its variants typically steal user names and passwords on stored in web browsers. In addition, these steal email credentials and FTP credentials such as the following:
- Directory list
- Password
- Port Number
- Server Name
- Server Type
- User Name
Users can get this malware by visiting malicious sites that host FAREIT variants.
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\WinRAR
HWID = "{GUID}"
Other Details
This spyware connects to the following possibly malicious URL:
- http://10.{BLOCKED}a-call.com/forum/viewtopic.php
- http://11.{BLOCKED}spc.com/forum/viewtopic.php
- http://11.{BLOCKED}couponscode.com/forum/viewtopic.php
- http://11.{BLOCKED}dsymptomsproblem.com/forum/viewtopic.php
- http://4.{BLOCKED}o.com/forum/viewtopic.php
- http://4.{BLOCKED}y.net/forum/viewtopic.php
- http://4.{BLOCKED}candroid.com/forum/viewtopic.php
- http://4.{BLOCKED}ctab.com/forum/viewtopic.php
- http://6.{BLOCKED}icedams.com/forum/viewtopic.php
- http://6.{BLOCKED}icedams.net/forum/viewtopic.php
- http://o.{BLOCKED}terkings.com/forum/viewtopic.php
- http://o.{BLOCKED}terkings.net/forum/viewtopic.php
- http://one.{BLOCKED}rsar.org/forum/viewtopic.php
- http://one.{BLOCKED}okeking.net/forum/viewtopic.php
- http://{BLOCKED}.{BLOCKED}.13.164/b6dK7rwV.exe
- http://{BLOCKED}3.a.hostable.me/Z2U.exe
- http://{BLOCKED}.{BLOCKED}.21.252/PNV3Hbi.exe
- http://{BLOCKED}rsystems.cc/EcYdbYWf.exe
- http://WWW.{BLOCKED}ormatica.com/KCCm.exe
- http://{BLOCKED}up.in/61AEjj.exe
- http://{BLOCKED}nfarm.com/Y0t4P.exe
- http://{BLOCKED}er-school.net/xFMTvTNP.exe
- http://{BLOCKED}agicshow.com/CajTX4D.exe
- http://{BLOCKED}rsi.com/2PveFFs.exe
- http://{BLOCKED}rk.com/cAB.exe
- http://{BLOCKED}s.com.vn/BN42.exe
- http://{BLOCKED}rmet.com.ar/jGa9.exe
- http://{BLOCKED}books.com/cBUkN9.exe
- http://www.{BLOCKED}en24.de/WWkULwkq.exe
- http://www.{BLOCKED}yaoriente.com.co/pbe.exe
- http://www.{BLOCKED}ko.com/W14C.exe
- http://www.{BLOCKED}r-art.at/fPsx8i.exe
- http://{BLOCKED}nturesphotogifts.com/MzZGBi0o.exe