TSPY_FAREIT.BO

This malware arrives as an attachment in an email supposedly from the Better Business Bureau. Once launched, this malware attempts to steal sensitive information.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Download Routine

This spyware accesses the following websites to download files:

• http://{BLOCKED}alma.org/hr5JHr1.exe
• http://{BLOCKED}.{BLOCKED}.218.30/RngUvek.exe
• http://{BLOCKED}k.com/cAB.exe
• http://{BLOCKED}silva.com/ttmX4XF.exe
• http://{BLOCKED}de.net/V61zmw.exe
• http://{BLOCKED}ia.cl/gUXoWb.exe
• http://{BLOCKED}silva.com/ttmX4XF.exe

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe - detected as TSPY_ZBOT.BO

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}losde.com:8080/forum/viewtopic.php
• http://{BLOCKED}.{BLOCKED}.38.105:8080/forum/viewtopic.php

NOTES:

It attempts to steal stored account information of the following installed FTP clients or File Managers:

• 32bit FTP
• 3D-FTP
• AceFTP
• ALFTP
• Becky!
• BitKinex
• BlazeFTP
• Bromium (Yandex Chrome)
• BulletProof FTP
• Certificate
• ChromePlus
• Chromium / SRWare Iron
• ClassicFTP
• CoffeeCup FTP / Sitemapper
• CoffeeCup Visual Site Designer
• Comodo Dragon
• CoolNovo
• CoreFTP
• CuteFTP
• Cyberduck
• DeluxeFTP
• Directory Opus
• Dreamweaver
• Easy FTP
• Epic
• ExpanDrive
• FAR Manager
• FastStone Browser
• FastTrackFTP
• FFFTP
• FileZilla
• Firefox
• FireFTP
• FlashFXP
• Fling
• Flock
• FreeFTP / DirectFTP
• FreshFTP
• Frigate3 FTP
• FTP Commander
• FTP Control
• FTP Explorer
• FTP Now
• FTP Surfer
• FTP Voyager
• FTPGetter
• FTPInfo
• FTPRush
• FTPShell
• Global Downloader
• GoFTP
• Google Chrome
• IncrediMail
• Internet Explorer
• K-Meleon
• LeapFTP
• LeechFTP
• LinasFTP
• Mozilla
• MyFTP
• NetDrive
• NETFile
• NexusFile
• Nichrome
• Notepad++
• NovaFTP
• Odin Secure FTP Expert
• Opera
• Outlook
• Pocomail
• Putty
• RDP
• Robo-FTP
• RockMelt
• SeaMonkey
• SecureFX
• sherrod FTP
• SmartFTP
• SoftX
• Staff-FTP
• The Bat!
• Thunderbird
• Total Commander
• TurboFTP
• UltraFXP
• WebDrive
• WebSitePublisher
• Windows Live Mail
• Windows Mail
• WinFTP
• WinSCP
• WinZip
• WiseFTP
• WS_FTP
• Xftp
• Yandex.Internet

It gathers the following account information from any of the aforementioned FTP clients or File Managers:

• Password
• Port Number
• Server Name
• Server Type
• User Name
• Directory list

It also attempts to steal stored email credentials:

• Outlook
• Windows Live Mail
• Windows Mail
• Pocomail
• IncrediMail
• BatMail
• Thunderbird

It attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:

• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Opera Browser
• Flock Browser
• RockMelt
• K-Meleon
• FastStone Browser

It uses the following list of usernames and passwords to access password-protected locations where the aforementioned information are stored:

• 123abc
• 123qwe
• 1q2w3e
• 1q2w3e4r
• aaaaaa
• abc123
• adidas
• admin
• amanda
• andrew
• angel
• angel1
• angels
• anthony
• apple
• asdf
• asdfasdf
• asdfgh
• ashley
• asshole
• austin
• baby
• bailey
• banana
• bandit
• baseball
• batman
• benjamin
• billgates
• biteme
• blabla
• blahblah
• blessed
• blessing
• blink182
• bubbles
• buster
• canada
• cassie
• charlie
• cheese
• chelsea
• chicken
• chris
• christ
• church
• cocacola
• compaq
• computer
• cookie
• cool
• corvette
• creative
• cryptimplus
• dakota
• dallas
• daniel
• danielle
• david
• destiny
• dexter
• diamond
• digital
• dragon
• eminem
• emmanuel
• enter
• faith
• flower
• foobar
• football
• football1
• forever
• forum
• freedom
• friend
• friends
• fuckoff
• fuckyou
• fuckyou1
• gates
• gateway
• genesis
• george
• gfhjkm
• ghbdtn
• ginger
• god
• google
• grace
• green
• guitar
• hahaha
• hallo
• hannah
• happy
• hardcore
• harley
• heaven
• hello
• hello1
• helpme
• hockey
• hope
• hotdog
• hunter
• ilovegod
• iloveyou
• iloveyou!
• iloveyou1
• iloveyou2
• internet
• james
• jasmine
• jason
• jasper
• jennifer
• jessica
• jesus
• jesus1
• john
• john316
• jordan
• jordan23
• joseph
• joshua
• junior
• justin
• killer
• kitten
• knight
• letmein
• london
• looking
• love
• lovely
• loving
• lucky
• maggie
• master
• matrix
• matthew
• maverick
• maxwell
• merlin
• michael
• michelle
• mickey
• microsoft
• mike
• monkey
• mother
• muffin
• mustang
• mustdie
• mylove
• myspace1
• nathan
• nicole
• nintendo
• none
• nothing
• onelove
• online
• orange
• pass
• passw0rd
• password
• password1
• peace
• peaches
• peanut
• pepper
• phpbb
• pokemon
• poop
• power
• praise
• prayer
• prince
• princess
• purple
• qazwsx
• qwert
• qwerty
• qwerty1
• rachel
• rainbow
• red123
• richard
• robert
• rotimi
• samantha
• sammy
• samuel
• saved
• scooby
• scooter
• secret
• shadow
• shalom
• silver
• single
• slayer
• smokey
• snoopy
• soccer
• soccer1
• sparky
• spirit
• startrek
• starwars
• stella
• summer
• sunshine
• superman
• taylor
• test
• testing
• testtest
• thomas
• thunder
• tigger
• trinity
• trustno1
• victory
• viper
• welcome
• whatever
• william
• windows
• winner
• wisdom
• zxcvbnm