TSPY_FAREIT.LQ

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It does not have any backdoor routine.

It deletes itself after execution.

Arrival Details

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
HWID = {random value}

Backdoor Routine

This spyware does not have any backdoor routine.

Download Routine

This spyware connects to the following website(s) to download and execute a malicious file:

• http://ftp.{BLOCKED}ove.com/J2Vbs.exe
• http://marly.{BLOCKED}negroup.com/JKt.exe
• http://www.{BLOCKED}es. om/dGmF.exe

It saves the files it downloads using the following names:

• %User Temp%\{random digit}.exe - TSPY_ZBOT.RIK

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Information Theft

This spyware attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• FarManager
• Ghisler
• WS_FTP
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP
• GlobalSCAPE CuteFTP Pro
• GlobalSCAPE CuteFTP Lite
• FlashFXP
• FileZilla
• FTP Navigator
• FTP Commander
• BulletProof FTP
• SmartFTP
• TurboFTP
• FFFTP
• FTPWare
• FTP Explorer
• UltraFXP
• SecureFX
• UltraFXP
• FTPRush
• WebSitePublisher
• BitKinex
• ExpanDrive
• ClassicFTP
• Fling FTP
• Directory Opus
• CoffeeCup Software
• LeapWare
• WinSCP
• 32BitFtp
• NetDrive
• WebDrive
• AceBIT
• FTPVoyager
• RhinoSoft
• LeechFTP
• Odin Secure FTP Expert
• WinFTP
• FTPGetter
• ALFTP
• DeluxeFTP
• Staff-FTP
• AceFTP
• FreshFTP
• BlazeFtp
• EasyFTP
• NetSarang
• FTPNow
• LinasFTP
• PuTTY
• NppFTP
• FTPShell
• MAS-Soft FTPInfo
• NexusFile
• My FTP
• NovaFTP
• Robo-FTP 3.7
• Cyberduck

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Password
• User ID
• Server Type
• Server Name
• Port Number
• Directory List

It attempts to steal stored email credentials from the following:

• Windows Live Mail
• Windows Mail
• Pocomail
• IncrediMail
• BatMail
• Outlook
• ThunderBird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Opera
• Mozilla Firefox
• SeaMonkey
• Flock
• Google Chrome
• Chromium
• ChromePlus
• Bromium
• Nichrome
• Comodo
• RockMelt
• K-Meleon
• Epic Browser
• FastStone Browser

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}t.net:8080/ponyb/gate.php
• http://{BLOCKED}.{BLOCKED}.180.139:8080/ponyb/gate.php
• http://{BLOCKED}c.fm:8080/ponyb/gate.php
• http://{BLOCKED}pioneers.at:8080/ponyb/gate.php

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

• http://www.facebook.com
• http://www.bing.com
• http://www.google.com

It deletes itself after execution.

NOTES:
This spyware uses the following list of user names and passwords to access password-protected locations where the aforementioned information are stored:

• 123abc
• 123qwe
• 1q2w3e
• 1q2w3e4r
• aaaaaa
• abc123
• adidas
• admin
• amanda
• andrew
• angel
• angel1
• angels
• anthony
• apple
• asdf
• asdfasdf
• asdfgh
• ashley
• asshole
• austin
• baby
• bailey
• banana
• bandit
• baseball
• batman
• benjamin
• billgates
• biteme
• blabla
• blahblah
• blessed
• blessing
• blink182
• bubbles
• buster
• canada
• cassie
• charlie
• cheese
• chelsea
• chicken
• chris
• christ
• church
• cocacola
• compaq
• computer
• cookie
• cool
• corvette
• creative
• cryptimplus
• dakota
• dallas
• daniel
• danielle
• david
• destiny
• dexter
• diamond
• digital
• dragon
• eminem
• emmanuel
• enter
• faith
• flower
• foobar
• football
• football1
• forever
• forum
• freedom
• friend
• friends
• fuckoff
• fuckyou
• fuckyou1
• gates
• gateway
• genesis
• george
• gfhjkm
• ghbdtn
• ginger
• god
• google
• grace
• green
• guitar
• hahaha
• hallo
• hannah
• happy
• hardcore
• harley
• heaven
• hello
• hello1
• helpme
• hockey
• hope
• hotdog
• hunter
• ilovegod
• iloveyou
• iloveyou!
• iloveyou1
• iloveyou2
• internet
• james
• jasmine
• jason
• jasper
• jennifer
• jessica
• jesus
• jesus1
• john
• john316
• jordan
• jordan23
• joseph
• joshua
• junior
• justin
• killer
• kitten
• knight
• letmein
• london
• looking
• love
• lovely
• loving
• lucky
• maggie
• master
• matrix
• matthew
• maverick
• maxwell
• merlin
• michael
• michelle
• mickey
• microsoft
• mike
• monkey
• mother
• muffin
• mustang
• mustdie
• mylove
• myspace1
• nathan
• nicole
• nintendo
• none
• nothing
• onelove
• online
• orange
• pass
• passw0rd
• password1
• peace
• peaches
• peanut
• pepper
• phpbb
• pokemon
• poop
• power
• praise
• prayer
• prince
• princess
• purple
• qazwsx
• qwert
• qwerty
• qwerty1
• rachel
• rainbow
• red123
• richard
• robert
• rotimi
• samantha
• sammy
• samuel
• saved
• scooby
• scooter
• secret
• shadow
• shalom
• silver
• single
• slayer
• smokey
• snoopy
• soccer
• soccer1
• sparky
• spirit
• startrek
• starwars
• stella
• summer
• sunshine
• superman
• taylor
• test
• testing
• testtest
• thomas
• thunder
• tigger
• trinity
• trustno1
• victory
• viper
• welcome
• whatever
• william
• windows
• winner
• wisdom
• zxcvbnm