arrow_back
search
close

TSPY_FAREIT.LSK

July 17, 2013
 ALIASES:

Trojan.Win32.Generic!BT (Sunbelt), ADWARE/InstallCore.Gen (Antivir)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

113,152 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

12 Jul 2013

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random File Name} = "%Application Data%\{Random Folder Name}\{Random File Name}.exe"

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
{Random Characters}
{Random Characters} = "{Random Strings}"

HKEY_CURRENT_USER\Software\Microsoft\
{Random Characters}
{Random Characters} = "{Random Hex Values}"

HKEY_CURRENT_USER\Software\WinRAR
{Random Hash} = "{Random Hex Values}"

HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{Random Hex Values}"

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{Random Hex Values}"

It modifies the following registry entries:

HKEY_CURRENT_USER\Identities
Identity Ordinal = "2"

(Note: The default value data of the said registry entry is 1.)

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}4.{BLOCKED}ostinginfo.com
  • http://{BLOCKED}forgetwebsites.net/forum/viewtopic.php
  • http://{BLOCKED}roductphotos.com/forum/viewtopic.php
  • http://{BLOCKED}eatout.com/forum/viewtopic.php
  • http://{BLOCKED}onalpathtopregnancy.com/forum/viewtopic.php
  • http://{BLOCKED}avinesphotography.com/P9fdA3t.exe
  • http://{BLOCKED}rana.com/1W9Xq1FY.exe
  • http://{BLOCKED}lsblessing.com/cjVUHphF.exe
  • http://{BLOCKED}st.dk/TdgB8.exe

It drops the following file(s)/component(s):

  • %Application Data%\{Random Folder}\{Random File Name}.exe
  • %TEMP%\{Random File Name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It deletes itself after execution.