TSPY_FAREIT.THFADAH

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

• %Windows%\Microsoft.NET\Framework\v{version number}\cvtres.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• %MUTEX%

It injects codes into the following process(es):

• created cvtres.exe

Other System Modifications

This Trojan Spy adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\WinRAR
HWID = {hex values}

Dropping Routine

This Trojan Spy drops the following files:

• %User Temp%\{random numbers}.bat ← Deletes cvtres.exe and itself.

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Download Routine

This Trojan Spy accesses the following websites to download files:

• http://{BLOCKED}site.ru/shit.exe

As of this writing, the said sites are inaccessible.

Information Theft

This Trojan Spy attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3D-FTP
• AceBIT
• Adobe
• BitKinex
• BlazeFtp
• Bullet Proof FTP
• CoffeeCup Software
• Core FTP
• Cryer WebSitePublisher
• CuteFTP
• CuteFTP Lite
• CuteFTP Pro
• Cyberduck
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• FTP Commander
• FTP Explorer
• FTP Navigator
• FTP Now
• FTPGetter
• FTPRush
• FTPShell
• Far Manager
• FastTrack FTP
• FileZilla
• FireFTP
• FlashFXP 3
• FlashFXP 4
• FreshFTP
• Frigate3
• GPSoftware Directory Opus
• Ghisler Total Commander
• Global Downloader
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GoFTP
• INSoftware NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP
• MAS-Soft FTPInfo
• MS IE FTP
• Martin Prikryl WinSCP
• My FTP
• NCH Software ClassicFTP
• NCH Software Fling
• NetDrive
• NetSarang
• NexusFile
• Nico Mak Computing WinZip
• Notepad++ NppFTP
• Odin Secure FTP Expert
• Opera Software
• RhinoSoft FTP Voyager
• Robo-FTP 3.7
• SFTP
• SimonTatham PuTTY
• SmartFTP
• SoftX FTP Client
• Sota FFFTP
• South River Technologies WebDrive
• Staff-FTP
• TurboFTP
• UltraFXP
• VanDyke SecureFX
• Visicom Media
• WinFtp Client

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Username
• Password
• User ID
• Host Address
• Directory List
• Port Number
• Terminal Type
• Server Name
• Server Type

It attempts to steal stored email credentials from the following:

• Microsoft Windows Live Mail
• Poco Systems Pocomail
• IncrediMail
• Microsoft Windows Mail
• Becky! Internet Mail - RimArts Inc.
• The Bat! BatMail
• Microsoft Outlook
• Thunderbird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• ChromePlus
• Chromium
• Comodo
• Epic
• FastStone Browser
• Flock
• Google Chrome
• Internet Explorer
• K-Meleon
• MapleStudio ChromePlus
• Mozilla Firefox
• Mozilla SeaMonkey
• Nichrome
• Opera
• RockMelt
• Yandex

It uses the following list of user names and passwords to access password-protected locations where the mentioned information is stored:

• 000000
• 1111
• 11111
• 111111
• 123123
• 123321
• 1234
• 12345
• 123456
• 1234567
• 12345678
• 123456789
• 123abc
• 123qwe
• 1q2w3e
• 654321
• 666666
• 7777
• 7777777
• aaaaaa
• abc123
• adidas
• admin
• amanda
• andrew
• angel
• angels
• anthony
• apple
• asdf
• asdfasdf
• asdfgh
• ashley
• asshole
• austin
• bailey
• banana
• bandit
• baseball
• batman
• benjamin
• biteme
• blahblah
• blessed
• blessing
• blink182
• buster
• canada
• charlie
• cheese
• chicken
• chris
• christ
• compaq
• computer
• cookie
• cool
• corvette
• creative
• dakota
• daniel
• diamond
• digital
• dragon
• eminem
• enter
• faith
• flower
• foobar
• football
• forever
• forum
• freedom
• friends
• fuckyou
• fuckyou1
• gateway
• genesis
• george
• ginger
• google
• grace
• guitar
• hahaha
• hannah
• happy
• harley
• heaven
• hello
• hello1
• helpme
• hockey
• hope
• hunter
• iloveyou
• iloveyou!
• iloveyou1
• iloveyou2
• internet
• james
• jasmine
• jennifer
• jessica
• jesus
• jesus1
• john316
• jordan
• joseph
• joshua
• junior
• justin
• killer
• knight
• letmein
• london
• looking
• love
• lovely
• lucky
• maggie
• master
• matrix
• matthew
• merlin
• michael
• michelle
• mickey
• monkey
• mother
• muffin
• mustang
• myspace1
• nicole
• nintendo
• nothing
• online
• orange
• pass
• passw0rd
• password
• password1
• peace
• peaches
• peanut
• pepper
• phpbb
• pokemon
• poop
• power
• princess
• purple
• qazwsx
• qwerty
• qwerty1
• rachel
• rainbow
• richard
• robert
• rotimi
• samantha
• scooter
• secret
• shadow
• shalom
• silver
• single
• slayer
• smokey
• snoopy
• soccer
• soccer1
• sparky
• spirit
• startrek
• starwars
• summer
• sunshine
• superman
• taylor
• test
• testing
• thomas
• thunder
• tigger
• trinity
• trustno1
• victory
• viper
• welcome
• whatever
• william
• winner
• wisdom

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}tsigorta.com/panel/gate.php

Other Details

This Trojan Spy does the following:

• It attempts to get stored account information from the application which uses the following GUID:
  • {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
  • {11C1D741-A95B-11d2-8A80-0080ADB32FF4}
• It attempts to steal account information from files with the following extensions:
  • .rdp
  • .prf
• It adds the following folder, file and registry if its absolute file path contains the following string "Dsv":
  • %Application Data%\Microsoft\Windows\DsvHelper
  • %Application Data%\Microsoft\Windows\DsvHelper\@RANDOM@.lnk

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Load = %Application Data%\Microsoft\Windows\DsvHelper\@RANDOM@.lnk

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)