TSPY_FAREIT.ZB

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This spyware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\WinRAR

It adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{random values}"

Download Routine

This spyware accesses the following websites to download files:

• http://{BLOCKED}dbeck.de/qE6.exe
• http://{BLOCKED}ie.com/PGLtvY.exe
• http://{BLOCKED}oast-rentals.net/WMEvFA.exe

It saves the files it downloads using the following names:

• %User Temp%\{random number}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This spyware connects to the following possibly malicious URL:

• http://{BLOCKED}voip.com:8080/ponyb/gate.php
• http://{BLOCKED}voip.net:8080/ponyb/gate.php
• http://{BLOCKED}siesfaciale.com:8080/ponyb/gate.php
• http://{BLOCKED}siesfaciales.com:8080/ponyb/gate.php