Win32/Farfli [Threat Name] go to Threat

Win32/Farfli.AA [Threat Variant Name]

Category trojan
Size 108283 B
Detection created Jan 05, 2010
Detection database version 4745
Aliases Trojan.Win32.Pincav.hby (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
  BackDoor-EKX.trojan (McAfee)
Short description

Win32/Farfli.AA installs a backdoor that can be controlled remotely.


The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost\­netsvcs]

It avoids files which contain any of the following strings in their path:

  • 6to4

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "Start" = %variable1%
    • "Type" = %variable2%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%\­Enum]
    • "0" = "Root\­LEGACY_%servicename%\­0000"
    • "Count" =  %variable3%
    • "NextInstance" = %variable4%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%servicename%]
    • "NextInstance" = %variable5%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%servicename%\­0000]
    • "Service" = "%servicename%"
    • "Legacy" =  %variable6%
    • "ConfigFlags" =  %variable7%
    • "Clas" =  "%variable8%"
    • "ClassGuid" =  "%variable9%"
    • "DeviceDesc" =  "%variable10%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_%servicename%\­0000\­Control]
    • "*NewlyCreated*" = %variable11%
    • "ActiveService" = "%servicename%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%\­Parameters]
    • "ServiceDll" = "%originalservicepath%"
    • "paramet" = "%originalservicepath%"

A string with variable content is used instead of %variable1-11% .

This causes the trojan to be executed on every system start.

The trojan creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe

The trojan creates copies of the following files (source, destination):

  • %originalservicepath%, %originalservicepath%.lang
  • %originalservicepath%, %system%\­dllcache\­%originalservicefilename%

The trojan creates the following files:

  • %temp%\­%random%_res.tmp
  • %system%\­syslog.dat
  • %system%\­1.txt.lang
  • %originalservicepath%_lang.ini

The trojan may create copies of the following files (source, destination):

  • %system%\­1.txt, %system%\­1.txt.lang
  • %systemdrive%\­1.txt , %system%\­dllcache\­1.txt
  • %temp%\­%random%_res.tmp, %originalservicepath%

A string with variable content is used instead of %random% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The TCP protocol is used.

It can execute the following operations:

  • update itself to a newer version
  • set file attributes
  • send the list of running processes to a remote computer
  • send the list of disk devices and their type to a remote computer
  • remove itself from the infected computer
  • open a specific URL address
  • move files
  • run executable files
  • download files from a remote computer and/or the Internet
  • terminate running processes
  • delete folders
  • delete cookies
  • delete Registry entries
  • create folders
  • capture screenshots
  • create Registry entries
  • shut down/restart the computer
  • log keystrokes
  • capture webcam video/voice
  • sending various information about the infected computer
  • send files to a remote computer

The following information is collected:

  • network adapter information
  • computer name
  • memory status
  • CPU information
  • Internet Explorer version

The trojan can send the information to a remote machine.

The following services are disabled:

  • Windows File Protection

Please enable Javascript to ensure correct displaying of this content and refresh this page.