Home / malwarePDF  

PWS:Win32/Fareit.gen!E


First posted on 29 September 2012.
Source: Microsoft

Aliases :

PWS:Win32/Fareit.gen!E is also known as Trojan-PSW.Win32.Tepfer.appg (Kaspersky), Trojan.PWS.Tepfer!VwerUtqbBZ4 (VirusBuster), TR/PSW.Tepfer.appg (Avira), Trojan-PWS.Win32.Tepfer (Ikarus).

Explanation :



PWS:Win32/Fareit.gen!E is a trojan that steals sensitive information from your computer, and sends it to a remote attacker.



Installation

When run, PWS:Win32/Fareit.gen!E creates a registry entry similar to the following:

In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "{GUID}", for example, "{ED95216A-AE76-4A76-B450-3644E984C941}"



Payload

PWS:Win32/Fareit.gen!E may steal account user names and passwords stored in your browser if you are using Chrome, Firefox, Internet Explorer, or Opera.

It also attempts to steal stored account information, such as server names, port numbers, login IDs, and passwords from the following FTP clients or cloud storage programs, if these are installed:

  • 32bit FTP
  • 3D-FTP
  • ALFTP
  • BitKinex
  • Blaze FTP
  • BulletProof FTP
  • ClassicFTP
  • Coffee Cup FTP
  • Core FTP
  • CuteFTP
  • Easy FTP
  • ExpanDrive
  • Far FTP
  • FFFTP
  • FileZilla
  • FlashFxp
  • FlingFTP
  • Free FTP
  • Frigate FTP
  • FTP Client
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP Now
  • FTP Rush
  • FTP Voyager
  • FTP++
  • FTPCommander
  • LeapFTP
  • Leech FTP
  • NetDrvie
  • Opus
  • Robo FTP
  • SecureFX
  • SmartFTP
  • Total Commander
  • TurboFTP
  • UltraFXP
  • Web Site Publisher
  • WebDrive
  • Windows Commander
  • WinSCP
  • Wise-FTP by AceBit
  • WS_FTP


It then posts all of this information to a remote server. Examples of servers contacted by the malware includes:

  • 108.178.59.26
  • 149.255.99.32
  • 209.59.216.85
  • 213.155.112.84
  • 213.155.112.85
  • 66.175.213.163
  • 69.194.192.203
  • 74.53.97.66
  • akamaifilms.com
  • classicmodels.at
  • greenduit.ru
  • jadeace.ru
  • lnkstyle.com
  • mintdv.info
  • newshlp.com
  • resysall.com
  • scriptsyst.com
  • sertstat.com
  • shotthemfupa.com
  • stareanatiunii.com
  • systhelp.com
  • tenuregrammarchecking.co.in
  • yellowmantis.ru




Analysis by Jonathan San Jose

Last update 29 September 2012

 

TOP

Malware :

Family: