TSPY_FILGRATS.A
Windows
Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Dropping Routine
This spyware drops the following files:
- "{Malware Path}\realip.exe" - Used to get IP. Deleted after use
- "{Malware Path}\curl.exe" - Used for ftp upload. Deleted after use
- "{Malware Path}\filgra.bat" - Responsible for gathering and sending data to ftp server. Deleted after use
Information Theft
This spyware gathers the following data:
- Contents of files named "good*.txt" from drives "C" to "J"
- IP Address
Stolen Information
This spyware saves the stolen information in the following file:
- "{Malware Path}\{DATE} {(TIME)}.SNDR" - Deleted after upload
Drop Points
This spyware uploads files to the following File Transfer Protocol (FTP) sites:
- ftp://debrup:toperharley@debrup.{BLOCKED}s.biz:22
Other Details
This spyware connects to the following URL(s) to get the affected system's IP address:
- http://www.{BLOCKED}earch.com
It deletes itself after execution.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as TSPY_FILGRATS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.