TSPY_FAREIT.NHO

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware executes then deletes itself afterward.

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{random value}"

HKEY_CURRENT_USER\Software\WinRAR
{random GUID = "{random value}"

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{random value}"

Download Routine

This spyware accesses the following websites to download files:

• http://cdn-cache-node.com/1.exe
• http://cdn-cache-node.com/6.exe

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This spyware connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.137.237/gate.php
• http://{BLOCKED}.{BLOCKED}.138.212/gate.php
• http://{BLOCKED}.{BLOCKED}.139.225/gate.php
• http://{BLOCKED}.{BLOCKED}.140.218/gate.php
• http://{BLOCKED}.{BLOCKED}.141.214/gate.php
• http://{BLOCKED}.{BLOCKED}.142.202/gate.php
• http://{BLOCKED}.{BLOCKED}.143.189/gate.php
• http://{BLOCKED}.{BLOCKED}.144.219/gate.php
• http://{BLOCKED}.{BLOCKED}.145.215/gate.php
• http://{BLOCKED}.{BLOCKED}.146.203/gate.php
• http://{BLOCKED}.{BLOCKED}.147.203/gate.php
• http://{BLOCKED}.{BLOCKED}.148.198/gate.php
• http://{BLOCKED}.{BLOCKED}.149.202/gate.php
• http://{BLOCKED}e-cdn-node.com/gate.php