TSPY_FAREIT.AJ

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not drop any other file.

It does not have any downloading capability.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Dropping Routine

This spyware does not drop any other file.

Download Routine

This spyware does not have any downloading capability.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}0.{BLOCKED}6.23.100:8080/asp/intro.php
• http://{BLOCKED}1.{BLOCKED}.235.35:8080/asp/intro.php
• http://{BLOCKED}9.{BLOCKED}0.221.6:8080/asp/intro.php
• http://{BLOCKED}0.{BLOCKED}9.13.84:8080/asp/intro.php
• http://{BLOCKED}1.{BLOCKED}1.168.98:8080/asp/intro.php
• http://{BLOCKED}0.{BLOCKED}5.150.72:8080/asp/intro.php
• http://{BLOCKED}9.{BLOCKED}5.134.110:8080/asp/intro.php
• http://{BLOCKED}3.{BLOCKED}8.208.55:8080/asp/intro.php
• http://{BLOCKED}2.{BLOCKED}0.221.186:8080/asp/intro.php
• http://{BLOCKED}2.{BLOCKED}7.17.180:8080/asp/intro.php
• http://{BLOCKED}4.{BLOCKED}2.100.108:8080/asp/intro.php
• http://{BLOCKED}3.{BLOCKED}2.238.18:8080/asp/intro.php
• http://{BLOCKED}3.{BLOCKED}6.208.180:8080/asp/intro.php
• http://{BLOCKED}0.{BLOCKED}4.58.250:8080/asp/intro.php
• http://{BLOCKED}2.{BLOCKED}3.189.180:8080/asp/intro.php
• http://{BLOCKED}3.{BLOCKED}3.98.131:8080/asp/intro.php
• http://{BLOCKE}D2.{BLOCKED}8.49.112:8080/asp/intro.php
• http://{BLOCKED}3.{BLOCKED}0.65.77:8080/asp/intro.php
• http://{BLOCKED}0.{BLOCKED}8.18.158:8080/asp/intro.php
• http://{BLOCKED}3.{BLOCKED}2.252.26:8080/asp/intro.php
• http://{BLOCKED}1.{BLOCKED}3.171.212:8080/asp/intro.php

NOTES:

It attempts to steal stored account information of the following installed FTP clients or File Managers:

• 32Bit Ftp
• 3D-FTP
• BlazeFtp
• BulletProof FTP
• Cute FTP
• CyberDuck
• Deluxe FTP
• Easy FTP
• Estsoft FTP
• FireFTP
• FTP CONTROL
• FTP Commander
• FTP Explorer
• FTP Navigator
• FTP++
• FTPCON
• FTPGetter
• FTPNow
• FTPRush
• FTPShell
• FTPWare COREFTP
• Far FTP
• FreshFTP
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP 8 Professional
• GoFTP
• NovaFTP
• Ipswitch WS_FTP
• LeapWare LeapFTP
• LeechFTP
• LinasFTP
• MAS-Soft FTP
• NCH Software ClassicFTP
• Nico Mak Computing WinZip FTP
• Robo-FTP 3.7
• SmartFTP
• SoftX.org FTPClient
• Sota FFFTP
• Staff-FTP
• TurboFTP
• WinFTP

This spyware uses the following list of user names and passwords to access password-protected locations where the aforementioned information are stored:

• password
• phpbb
• qwerty
• jesus
• abc123
• letmein
• test
• love
• password1
• hello
• monkey
• dragon
• trustno1
• iloveyou
• shadow
• christ
• sunshine
• master
• computer
• princess
• tigger
• football
• angel
• jesus1
• whatever
• freedom
• killer
• asdf
• soccer
• superman
• michael
• cheese
• internet
• joshua
• fuckyou
• blessed
• baseball
• starwars
• purple
• jordan
• faith
• summer
• ashley
• buster
• heaven
• pepper
• hunter
• lovely
• andrew
• thomas
• angels
• charlie
• daniel
• jennifer
• single
• hannah
• qazwsx
• happy
• matrix
• pass
• aaaaaa
• amanda
• nothing
• ginger
• mother
• snoopy
• jessica
• welcome
• pokemon
• iloveyou1
• mustang
• helpme
• justin
• jasmine
• orange
• testing
• apple
• michelle
• peace
• secret
• grace
• william
• iloveyou2
• nicole
• muffin
• gateway
• fuckyou1
• asshole
• hahaha
• poop
• blessing
• blahblah
• myspace1
• matthew
• canada
• silver
• robert
• forever
• asdfgh
• rachel
• rainbow
• guitar
• peanut
• batman
• cookie
• bailey
• soccer1
• mickey
• biteme
• hello1
• eminem
• dakota
• samantha
• compaq
• diamond
• taylor
• forum
• john316
• richard
• blink182
• peaches
• cool
• flower
• scooter
• banana
• james
• asdfasdf
• victory
• london
• 123qwe
• startrek
• george
• winner
• maggie
• trinity
• online
• 123abc
• chicken
• junior
• chris
• passw0rd
• austin
• sparky
• admin
• merlin
• google
• friends
• hope
• shalom
• nintendo
• looking
• harley
• smokey
• joseph
• lucky
• digital
• thunder
• spirit
• bandit
• enter
• anthony
• corvette
• hockey
• power
• benjamin
• iloveyou!
• 1q2w3e
• viper
• genesis
• knight
• qwerty1
• creative
• foobar
• adidas
• rotimi
• slayer
• wisdom
• praise
• zxcvbnm
• samuel
• mike
• dallas
• green
• testtest
• maverick
• onelove
• david
• mylove
• church
• friend
• god
• destiny
• none
• microsoft
• bubbles
• cocacola
• jordan23
• ilovegod
• football1
• loving
• nathan
• emmanuel
• scooby
• fuckoff
• sammy
• maxwell
• jason
• john
• 1q2w3e4r
• baby
• red123
• blabla
• prince
• qwert
• chelsea
• angel1
• hardcore
• dexter
• saved
• hallo
• jasper
• danielle
• kitten
• cassie
• stella
• prayer
• hotdog
• windows
• mustdie
• gates
• billgates
• ghbdtn
• gfhjkm

It gathers the following account information from any of the aforementioned FTP clients or File Managers:

• Password
• Port Number
• Server Name
• User Name

It also attempts to steal stored email credentials:

• Outlook
• Windows Live Mail
• Windows Mail
• Pocomail
• IncrediMail
• BatMail
• Mozilla Thunderbird

This spyware attempts to retrieve stored information such as user names, passwords, and hostnames from the following browsers:

• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Opera Browser
• Flock Browser
• FastStone Browser

Other Details

It does not have rootkit capabilities.

It does not exploit any vulnerabilit