TSPY_FAREIT.ABVV

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Download Routine

This spyware accesses the following websites to download files:

• http://{BLOCKED}heband.gr/5Wjm3iV2.exe
• http://{BLOCKED}ogalurunler.com/9BMu2.exe
• http://{BLOCKED}arimurunleri.com/rRq.exe
• http://{BLOCKED}balexchange.com/19J.exe
• http://{BLOCKED}s.org/1vAWoxz3.exe
• http://www.{BLOCKED}38.{BLOCKED}arn.de/4pxp.exe
• http://{BLOCKED}ofttechnologies.com/iDm9vs.exe
• http://{BLOCKED}ution.com.br/jq5.exe
• http://{BLOCKED}inart.be/Ue7cHNm.exe
• http://{BLOCKED}oit.pl/ZBrBpBh2.exe

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe - detected as TSPY_ZBOT.LDG

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}r.{BLOCKED}rcatonly.com/forum/viewtopic.php
• http://{BLOCKED}r.{BLOCKED}etspetsitting.com/forum/viewtopic.php

NOTES:

However, as of this writing, the sites where it sends the gathered information are inaccessible.

It attempts to steal stored account information of the following installed FTP clients or File Managers:

• 32Bit Ftp
• 3D-FTP
• BlazeFtp
• BulletProof FTP
• Cute FTP
• CyberDuck
• Deluxe FTP
• Easy FTP
• Estsoft FTP
• FireFTP
• FTP CONTROL
• FTP Commander
• FTP Explorer
• FTP Navigator
• FTP++
• FTPCON
• FTPGetter
• FTPNow
• FTPRush
• FTPShell
• FTPWare COREFTP
• Far FTP
• FreshFTP
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GoFTP
• NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP
• MAS-Soft FTP
• NCH Software ClassicFTP
• Nico Mak Computing WinZip FTP
• Robo-FTP 3.7
• SmartFTP
• SoftX.org FTPClient
• Sota FFFTP
• Staff-FTP
• TurboFTP
• WinFTP

This spyware uses the following list of user names and passwords to access password-protected locations where the aforementioned information are stored:

• 123abc
• 123qwe
• 1q2w3e
• 1q2w3e4r
• aaaaaa
• abc123
• adidas
• admin
• amanda
• andrew
• angel
• angel1
• angels
• anthony
• apple
• asdf
• asdfasdf
• asdfgh
• ashley
• asshole
• austin
• baby
• bailey
• banana
• bandit
• baseball
• batman
• benjamin
• billgates
• biteme
• blabla
• blahblah
• blessed
• blessing
• blink182
• bubbles
• buster
• canada
• cassie
• charlie
• cheese
• chelsea
• chicken
• chris
• christ
• church
• cocacola
• compaq
• computer
• cookie
• cool
• corvette
• creative
• dakota
• dallas
• daniel
• danielle
• david
• destiny
• dexter
• diamond
• digital
• dragon
• eminem
• emmanuel
• enter
• faith
• flower
• foobar
• football
• football1
• forever
• forum
• freedom
• friend
• friends
• fuckoff
• fuckyou
• fuckyou1
• gates
• gateway
• genesis
• george
• gfhjkm
• ghbdtn
• ginger
• god
• google
• grace
• green
• guitar
• hahaha
• hallo
• hannah
• happy
• hardcore
• harley
• heaven
• hello
• hello1
• helpme
• hockey
• hope
• hotdog
• hunter
• ilovegod
• iloveyou
• iloveyou!
• iloveyou1
• iloveyou2
• internet
• james
• jasmine
• jason
• jasper
• jennifer
• jessica
• jesus
• jesus1
• john
• john316
• jordan
• jordan23
• joseph
• joshua
• junior
• justin
• killer
• kitten
• knight
• letmein
• london
• looking
• love
• lovely
• loving
• lucky
• maggie
• master
• matrix
• matthew
• maverick
• maxwell
• merlin
• michael
• michelle
• mickey
• microsoft
• mike
• monkey
• mother
• muffin
• mustang
• mustdie
• mylove
• myspace1
• nathan
• nicole
• nintendo
• none
• nothing
• onelove
• online
• orange
• pass
• passw0rd
• password
• password1
• peace
• peaches
• peanut
• pepper
• phpbb
• pokemon
• poop
• power
• praise
• prayer
• prince
• princess
• purple
• qazwsx
• qwert
• qwerty
• qwerty1
• rachel
• rainbow
• red123
• richard
• robert
• rotimi
• samantha
• sammy
• samuel
• saved
• scooby
• scooter
• secret
• shadow
• shalom
• silver
• single
• slayer
• smokey
• snoopy
• soccer
• soccer1
• sparky
• spirit
• startrek
• starwars
• stella
• summer
• sunshine
• superman
• taylor
• test
• testing
• testtest
• thomas
• thunder
• tigger
• trinity
• trustno1
• victory
• viper
• welcome
• whatever
• william
• windows
• winner
• wisdom
• zxcvbnm

It gathers the following account information from any of the aforementioned FTP clients or File Managers:

• Password
• Port Number
• Server Name
• User Name

It also attempts to steal stored email credentials:

• Outlook
• Windows Live Mail
• Windows Mail
• Pocomail
• IncrediMail
• BatMail
• Mozilla Thunderbird

This spyware attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:

• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Opera Browser
• Flock Browser
• FastStone Browser

It does not have rootkit capabilities.

It does not exploit any vulnerability.