Analysis by: Rika Joi Gregorio
ALIASES:

VirTool:Win32/CeeInject.gen!KK(Microsoft), RDN/Spybot.bfr!h(McAfee), Downloader.Ponik(Symantec), Trojan-PWS.Tepfer(Ikarus), Win32/PSW.Fareit.A trojan(Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 151,552 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 27 Nov 2013

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This spyware adds the following registry keys:

HKEY_CLASSES_ROOT\Cad.Document

HKEY_CLASSES_ROOT\Cad.Document\DefaultIcon

HKEY_CLASSES_ROOT\Cad.Document\shell

HKEY_CLASSES_ROOT\Cad.Document\shell\
open

HKEY_CLASSES_ROOT\Cad.Document\shell\
open\command

HKEY_CLASSES_ROOT\Cad.Document\shell\
print

HKEY_CLASSES_ROOT\Cad.Document\shell\
print\command

HKEY_CLASSES_ROOT\Cad.Document\shell\
printto

HKEY_CLASSES_ROOT\Cad.Document\shell\
printto\command

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Cad

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Cad\Recent File List

HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\
Cad\Settings

It adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{random values}"

HKEY_CLASSES_ROOT\Cad.Document
(Default) = "Cad Document"

HKEY_CLASSES_ROOT\Cad.Document\shell\
open\command
(Default) = "{malware path and file name} "%1""

HKEY_CLASSES_ROOT\Cad.Document\shell\
print\command
(Default) = "{malware path and file name} /p "%1""

HKEY_CLASSES_ROOT\Cad.Document\shell\
printto\command
(Default) = "{malware path and file name} /pt "%1" "%2" "%3" "%4""

HKEY_CLASSES_ROOT\Cad.Document\DefaultIcon
(Default) = "{malware path and file name},0"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.166.215/pnn/ga.php
  • http://{BLOCKED}.{BLOCKED}.189.32/pnn/ga.php
  • http://{BLOCKED}.{BLOCKED}.46.241/pnn/ga.php
  • http://{BLOCKED}.{BLOCKED}.166.215/our/1.exe
  • http://{BLOCKED}.{BLOCKED}.166.215/our/2.exe
  • http://{BLOCKED}.{BLOCKED}.166.215/our/3.exe
  • http://{BLOCKED}.{BLOCKED}.189.32/our/1.exe
  • http://{BLOCKED}.{BLOCKED}.46.241/our/1.exe

NOTES:

TSPY_FAREIT.EWW executes every time a CAD document is executed or printed.