TSPY_FAREIT.YYSHX

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops and executes the following files:

• %User Temp%\{random numbers}.bat - this will delete the executed file

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This spyware adds the following registry entries:

HKEY_CURRENT_USER\Software\WinRAR
Client Hash = "{hex values}"

HKEY_CURRENT_USER\Software\WinRAR
HWID = "{hex values}"

Information Theft

This spyware gathers the following data:

• Cryptographic certificates

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 32BitFtp
• 3D-FTP
• AceBIT
• Adobe
• BitKinex
• Bullet Proof FTP
• ClassicFTP
• CoffeeCup Software
• Core FTP
• Cryer WebSitePublisher
• Cyberduck
• DeluxeFTP
• EasyFTP
• Estsoft ALFTP
• ExpanDrive
• Far Manager
• FastTrackFTP
• FileZilla
• FlashFXP 3
• FlashFXP 4
• FlashPeak BlazeFtp
• FreshFTP
• Frigate3
• FTP Commander
• FTP Control
• FTP Explorer
• FTP Navigator
• FTP Now
• FTPGetter
• FTPRush
• FTPShell
• FTPVoyager
• Global Downloader
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP 9
• GlobalSCAPE CuteFTP Lite
• GlobalSCAPE CuteFTP Pro
• GoFTP
• GPSoftware Directory Opus
• INSoftware NovaFTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP Site Manager
• Martin Prikryl
• MAS-Soft FTPInfo
• Maxprog FTP Disk
• MS IE FTP
• My FTP
• NCH Software ClassicFTP
• NCH Software Fling
• NetSarang
• NexusFile
• Nico Mak Computing WinZip
• NppFTP
• Robo-FTP 3.7
• SimonTatham PuTTY
• SmartFTP
• SoftX FTP Client
• Sota FFFTP
• South River Technologies WebDrive
• Staff-FTP
• Total Commander
• TurboFTP
• UltraFXP
• VanDyke SecureFX
• Visicom Media
• WS_FTP

It gathers the following account information from any of the mentioned File Transfer Protocol (FTP) clients or file manager software:

• Username
• Password
• User ID
• Host Address
• Directory List
• Port Number
• Terminal Type
• Server Name
• Server Type

It attempts to steal stored email credentials from the following:

• IncrediMail
• Microsoft Outlook
• Microsoft Windows Live Mail
• Microsoft Windows Mail
• Poco Systems Pocomail
• RimArts Becky! Internet Mail
• RIT The Bat!
• Thunderbird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Bromium
• Chromium
• Comodo
• Epic
• FastStone Browser
• Flock
• Google Chrome
• K-Meleon
• MapleStudio ChromePlus
• Mozilla Firefox
• Mozilla SeaMonkey
• Nichrome
• Opera
• RockMelt
• Yandex

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}s.com/folder/gate.php

NOTES:

It uses the following list of user names and passwords to access password-protected locations where the mentioned information is stored:

• samantha
• michelle
• david
• eminem
• scooter
• asdfasdf
• sammy
• baby
• diamond
• maxwell
• 55555
• justin
• james
• chicken
• danielle
• iloveyou2
• fuckoff
• prince
• junior
• rainbow
• 112233
• fuckyou1
• 1
• nintendo
• peanut
• none
• church
• bubbles
• robert
• 222222
• destiny
• loving
• gfhjkm
• mylove
• jasper
• hallo
• 123321
• cocacola
• helpme
• nicole
• guitar
• billgates
• looking
• scooby
• joseph
• genesis
• forum
• emmanuel
• cassie
• victory
• passw0rd
• foobar
• ilovegod
• nathan
• blabla
• digital
• peaches
• football1
• 11111111
• power
• thunder
• gateway
• iloveyou!
• football
• tigger
• corvette
• angel
• killer
• creative
• 123456789
• google
• zxcvbnm
• startrek
• ashley
• cheese
• a
• sunshine
• christ
• 000000
• soccer
• qwerty1
• friend
• summer
• 1234567
• merlin
• phpbb
• 12345678
• jordan
• saved
• dexter
• viper
• winner
• sparky
• windows
• 123abc
• lucky
• anthony
• jesus
• ghbdtn
• admin
• hotdog
• baseball
• password1
• dragon
• trustno1
• jason
• internet
• mustdie
• john
• letmein
• 123
• mike
• knight
• jordan23
• abc123
• red123
• praise
• freedom
• jesus1
• 12345
• london
• computer
• microsoft
• muffin
• qwert
• mother
• master
• 111111
• qazwsx
• samuel
• canada
• slayer
• rachel
• onelove
• qwerty
• prayer
• iloveyou1
• whatever
• god
• password
• blessing
• snoopy
• 1q2w3e4r
• cookie
• 11111
• chelsea
• pokemon
• hahaha
• aaaaaa
• hardcore
• shadow
• welcome
• mustang
• 654321
• bailey
• blahblah
• matrix
• jessica
• stella
• benjamin
• testing
• secret
• trinity
• richard
• peace
• shalom
• monkey
• iloveyou
• thomas
• blink182
• jasmine
• purple
• test
• angels
• grace
• hello
• poop
• blessed
• 1234567890
• heaven
• hunter
• pepper
• john316
• cool
• buster
• andrew
• faith
• ginger
• 7777777
• hockey
• hello1
• angel1
• superman
• enter
• daniel
• 123123
• forever
• nothing
• dakota
• kitten
• asdf
• 1111
• banana
• gates
• flower
• taylor
• lovely
• hannah
• princess
• compaq
• jennifer
• myspace1
• smokey
• matthew
• harley
• rotimi
• fuckyou
• soccer1
• 123456
• single
• joshua
• green
• 123qwe
• starwars
• love
• silver
• austin
• michael
• amanda
• 1234
• charlie
• bandit
• chris
• happy
• hope
• maggie
• maverick
• online
• spirit
• george
• friends
• dallas
• adidas
• 1q2w3e
• 7777
• orange
• testtest
• asshole
• apple
• biteme
• 666666
• william
• mickey
• asdfgh
• wisdom
• batman
• pass

It may also possess the capability to steal information from various Bitcoin wallets. It searches and attempts to extract information from the following files:

• wallet.dat (Bitcoin)
• electrum.dat (Electrum)
• wallet (MultiBit)
• wallet.dat (Litecoin)
• wallet.dat (Namecoin)
• wallet.dat (Terracoin)
• wallet (Armory)
• wallet.dat (PPCoin)
• wallet.dat (Primecoin)
• wallet.dat (Feathercoin)
• wallet.dat (NovaCoin)
• wallet.dat (Freicoin)
• wallet.dat (Devcoin)
• wallet.dat (Franko)
• wallet.dat (ProtoShares)
• wallet.dat (Megacoin)
• wallet.dat (Quarkcoin)
• wallet.dat (Worldcoin)
• wallet.dat (Infinitecoin)
• wallet.dat (Ixcoin)
• wallet.dat (Anoncoin)
• wallet.dat (BBQcoin)
• wallet.dat (Digitalcoin)
• wallet.dat (Mincoin)
• wallet.dat (GoldCoin (GLD))
• wallet.dat (Yacoin)
• wallet.dat (Zetacoin)
• wallet.dat (Fastcoin)
• wallet.dat (I0coin)
• wallet.dat (Tagcoin)
• wallet.dat (Bytecoin)
• wallet.dat (Florincoin)
• wallet.dat (Phoenixcoin)
• wallet.dat (Luckycoin)
• wallet.dat (Craftcoin)
• wallet.dat (Junkcoin)