TSPY_FAREIT.AUSYVS

This Trojan Spy arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It deletes itself after execution.

Arrival Details

This Trojan Spy arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This Trojan Spy drops and executes the following files:

• %User Temp%\{random numbers}.bat ← used to delete itself, deleted afterwards

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{hex values}"

Information Theft

This Trojan Spy attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3D-FTP
• AceBIT
• Adobe
• BitKinex
• Bullet Proof FTP
• CoffeeCup Software
• Core FTP
• Cryer WebSitePublisher
• Cyberduck
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• FTP Commander
• FTP Control
• FTP Explorer
• FTP Navigator
• FTP Now
• FTPGetter
• FTPRush
• FTPShell
• Far Manager
• FastTrackFTP
• FileZilla
• FireFTP
• FlashFXP 3
• FlashFXP 4
• FlashPeak BlazeFtp
• FreshFTP
• Frigate3
• GPSoftware Directory Opus
• Ghisler Total Commander
• Global Downloader
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP Lite
• GlobalSCAPE CuteFTP Pro
• GoFTP
• INSoftware NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP
• MAS-Soft FTPInfo
• MS IE FTP
• Martin Prikryl
• My FTP
• NCH Software ClassicFTP
• NCH Software Fling
• NetDrive
• NetSarang
• NexusFile
• Nico Mak Computing WinZip
• Notepad++ NppFTP
• Opera
• RhinoSoft FTPVoyager
• Robo-FTP 3.7
• SimonTatham PuTTY
• SmartFTP
• SoftX FTP Client
• Sota FFFTP
• South River Technologies WebDrive
• Staff-FTP
• TurboFTP
• UltraFXP
• VanDyke SecureFX
• Visicom Media
• WinFTP

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Username
• Password
• User ID
• Host Address
• Directory List
• Port Number
• Terminal Type
• Server Name
• Server Type

It attempts to steal stored email credentials from the following:

• IncrediMail
• Microsoft Outlook
• Microsoft Windows Live Mail
• Microsoft Windows Mail
• Poco Systems Pocomail
• RimArts Becky! Internet Mail
• RIT The Bat!
• Thunderbird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• Chromium
• Comodo
• Epic
• FastStone Browser
• Flock
• Google Chrome
• K-Meleon
• MapleStudio ChromePlus
• Mozilla Firefox
• Mozilla SeaMonkey
• Nichrome
• Opera
• RockMelt
• Yandex
• Internet Explorer

It uses the following list of user names and passwords to access password-protected locations where the mentioned information is stored:

• 123456
• password
• phpbb
• qwerty
• 12345
• jesus
• 12345678
• 1234
• abc123
• letmein
• test
• love
• 123
• password1
• hello
• monkey
• dragon
• trustno1
• 111111
• iloveyou
• 1234567
• shadow
• 123456789
• christ
• sunshine
• master
• computer
• princess
• tigger
• football
• angel
• jesus1
• 123123
• whatever
• freedom
• killer
• asdf
• soccer
• superman
• michael
• cheese
• internet
• joshua
• fuckyou
• blessed
• baseball
• starwars
• 000000
• purple
• jordan
• faith
• summer
• ashley
• buster
• heaven
• pepper
• 7777777
• hunter
• lovely
• andrew
• thomas
• angels
• charlie
• daniel
• 1111
• jennifer
• single
• hannah
• qazwsx
• happy
• matrix
• pass
• aaaaaa
• 654321
• amanda
• nothing
• ginger
• mother
• snoopy
• jessica
• welcome
• pokemon
• iloveyou1
• 11111
• mustang
• helpme
• justin
• jasmine
• orange
• testing
• apple
• michelle
• peace
• secret
• 1
• grace
• william
• iloveyou2
• nicole
• 666666
• muffin
• gateway
• fuckyou1
• asshole
• hahaha
• poop
• blessing
• blahblah
• myspace1
• matthew
• canada
• silver
• robert
• forever
• asdfgh
• rachel
• rainbow
• guitar
• peanut
• batman
• cookie
• bailey
• soccer1
• mickey
• biteme
• hello1
• eminem
• dakota
• samantha
• compaq
• diamond
• taylor
• forum
• john316
• richard
• blink182
• peaches
• cool
• flower
• scooter
• banana
• james
• asdfasdf
• victory
• london
• 123qwe
• 123321
• startrek
• george
• winner
• maggie
• trinity
• online
• 123abc
• chicken
• junior
• chris
• passw0rd
• austin
• sparky
• admin
• merlin
• google
• friends
• hope
• shalom
• nintendo
• looking
• harley
• smokey
• 7777
• joseph
• lucky
• digital
• a
• thunder
• spirit
• bandit
• enter
• anthony
• corvette
• hockey
• power
• benjamin
• iloveyou!
• 1q2w3e
• viper
• genesis
• knight
• qwerty1
• creative
• foobar
• adidas
• rotimi
• slayer
• wisdom
• praise
• zxcvbnm
• samuel
• mike
• dallas
• green
• testtest
• maverick
• onelove
• david
• mylove
• church
• friend
• god
• destiny
• none
• microsoft
• 222222
• bubbles
• 11111111
• cocacola
• jordan23
• ilovegod
• football1
• loving
• nathan
• emmanuel
• scooby
• fuckoff
• sammy
• maxwell
• jason
• john
• 1q2w3e4r
• baby
• red123
• blabla
• prince
• qwert
• chelsea
• 55555
• angel1
• hardcore
• dexter
• saved
• 112233
• hallo
• jasper
• danielle
• kitten
• cassie
• stella
• prayer
• hotdog
• windows
• mustdie
• gates
• billgates
• ghbdtn
• gfhjkm
• 1234567890

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}lmasia.com/udplz/bxn0udkplc/gate.php

Other Details

This Trojan Spy deletes itself after execution.