Win32/PSW.Fareit [Threat Name] go to Threat

Win32/PSW.Fareit.A [Threat Variant Name]

Category trojan
Size 130048 B
Detection created Nov 17, 2012
Signature database version 8164
Aliases PWS:Win32/Fareit (Microsoft)
  PWS-Zbot.gen.arb.trojan (McAfee)
  TR/PSW.Fareit.465 (Avira)
Short description

Win32/PSW.Fareit.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­WinRAR]
    • "HWID" = %data%

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­WinRAR]
    • %variable1% = "true"

The trojan creates the following file:

  • %temp%\­%variable2%.bat

The file is then executed.


A string with variable content is used instead of %variable1-2% .

Information stealing

Win32/PSW.Fareit.A is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information
  • operating system version
  • information about the operating system and system settings

The following programs are affected:

  • 32bit FTP
  • 3D-FTP
  • AceFTP
  • Adobe suite
  • ALFTP
  • Bat! Email Client
  • Becky! Internet Mail
  • BitKinex
  • BlazeFTP
  • Bromium
  • Bullet Proof FTP
  • Chrome
  • ChromePlus
  • Chromium
  • Classic FTP
  • CoffeCup Software
  • Comodo
  • CoolNovo
  • Core FTP
  • CuteFTP
  • Cyberduck
  • DeluxeFTP
  • Direct FTP
  • Directory Opus
  • Easy FTP
  • Epic Browser
  • ExpanDrive
  • Far Manager
  • FastStone Browser
  • FastTrack
  • FFFTP
  • FileZilla
  • FlashFXP
  • Fling FTP Software
  • Free FTP (by CoffeeCup)
  • Fresh FTP
  • Frigate3
  • FTP Commander
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP Now
  • FTP Rush
  • FTP Surfer
  • FTP Voyager
  • FTP++
  • FTPGetter
  • FtpInfo
  • FTPShell
  • Global Downloader
  • GoFTP
  • IncrediMail
  • Internet Explorer
  • IpSwitch WS_FTP
  • K-Meleon
  • LeapFTP
  • LeechFTP
  • LinasFTP
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Flock
  • Mozilla SeaMonkey
  • Mozilla Thunderbird
  • My FTP
  • NetDrive
  • NexusFile
  • Nichrome
  • Notepad++
  • Nova FTP
  • Odin Secure FTP Expert
  • Opera
  • PocoMail
  • PuTTy
  • Robo-FTP
  • RockMelt
  • SecureFX
  • SmartFTP
  • SoftX FTP CLient
  • Staff-FTP
  • Terminal Server
  • Total Commander
  • TurboFTP
  • UltraFXP
  • Web Site Publisher
  • WebDrive
  • Windows Commander
  • Windows Live Mail
  • Windows Mail
  • WinFTP
  • WinSCP
  • WinZip
  • WISE-FTP
  • Xftp
  • Yandex

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a list of (5) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­%variable3%.exe

The files are then executed. The HTTP protocol is used.


A string with variable content is used instead of %variable3% .


The trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.