TSPY_FAREIT.LSK
Trojan.Win32.Generic!BT (Sunbelt), ADWARE/InstallCore.Gen (Antivir)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies the Internet Explorer Zone Settings.
It deletes itself after execution.
TECHNICAL DETAILS
113,152 bytes
EXE
Yes
12 Jul 2013
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random File Name} = "%Application Data%\{Random Folder Name}\{Random File Name}.exe"
Other System Modifications
This spyware adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
{Random Characters}
{Random Characters} = "{Random Strings}"
HKEY_CURRENT_USER\Software\Microsoft\
{Random Characters}
{Random Characters} = "{Random Hex Values}"
HKEY_CURRENT_USER\Software\WinRAR
{Random Hash} = "{Random Hex Values}"
HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{Random Hex Values}"
HKEY_CURRENT_USER\Software\WinRAR
HWID = "{Random Hex Values}"
It modifies the following registry entries:
HKEY_CURRENT_USER\Identities
Identity Ordinal = "2"
(Note: The default value data of the said registry entry is 1.)
Web Browser Home Page and Search Page Modification
This spyware modifies the Internet Explorer Zone Settings.
Other Details
This spyware connects to the following possibly malicious URL:
- http://{BLOCKED}4.{BLOCKED}ostinginfo.com
- http://{BLOCKED}forgetwebsites.net/forum/viewtopic.php
- http://{BLOCKED}roductphotos.com/forum/viewtopic.php
- http://{BLOCKED}eatout.com/forum/viewtopic.php
- http://{BLOCKED}onalpathtopregnancy.com/forum/viewtopic.php
- http://{BLOCKED}avinesphotography.com/P9fdA3t.exe
- http://{BLOCKED}rana.com/1W9Xq1FY.exe
- http://{BLOCKED}lsblessing.com/cjVUHphF.exe
- http://{BLOCKED}st.dk/TdgB8.exe
It drops the following file(s)/component(s):
- %Application Data%\{Random Folder}\{Random File Name}.exe
- %TEMP%\{Random File Name}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It deletes itself after execution.