Win32/Farfli [Threat Name] go to Threat

Win32/Farfli.BGG [Threat Variant Name]

Category trojan
Size 278528 B
Aliases Trojan.Win32.Scar.qnyq (Kaspersky)
  BackDoor.PcClient.6595 (Dr.Web)
  TrojanDownloader:Win32/Farfli.L!bit (Microsoft)
Short description

Win32/Farfli.BGG serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %systemroot%\­Terms.EXE.exe

The trojan registers itself as a system service using the following name:

  • $SuperProServer

This causes the trojan to be executed on every system start.

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SuperProServer]
    • "ConnectGroup" = "默认分组"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SuperProServer]
    • "DeleteFiles" = "%originalmalwarefilepath%"
    • "Description" = "监测和监视新硬件设备并自动更新设备驱动。"
    • "MarkTime" = "%datetime%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SuperProServer" = "%systemroot%\­Terms.EXE.exe"
Information stealing

Win32/Farfli.BGG is a trojan that steals sensitive information.

The trojan is able to log keystrokes.

The following information is collected:

  • operating system version
  • computer IP address
  • amount of operating memory
  • installed antivirus software
  • logged keystrokes
  • network adapter information
  • computer name
  • CPU information

The trojan attempts to send gathered information to a remote machine. The TCP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (4) URLs. The TCP protocol is used.

It can execute the following operations:

  • update itself to a newer version
  • set file attributes
  • send the list of running processes to a remote computer
  • send the list of disk devices and their type to a remote computer
  • send the list of files on a specific drive to a remote computer
  • remove itself from the infected computer
  • open a specific URL address
  • copy files
  • move files
  • run executable files
  • download files from a remote computer and/or the Internet
  • terminate running processes
  • play sound/video
  • delete folders
  • delete files
  • delete cookies
  • delete Registry entries
  • create folders
  • capture screenshots
  • create Registry entries
  • shut down/restart the computer
  • manipulate application windows
  • show/hide application windows
  • display a dialog window
  • send open TCP and UDP port numbers to a remote computer
  • execute shell commands
  • log off the current user
  • simulate user's input (clicks, taps)
  • watch the user's screen content
  • delete user account
  • create user account
  • uninstall itself
  • make operating system unbootable
  • start/stop services
  • various Registry operations
  • perform DoS/DDoS attacks
  • turn the display off
  • open the CD/DVD drive
  • swap mouse buttons
  • send list of installed applications
  • log keystrokes
  • capture webcam video/voice
  • sending various information about the infected computer
  • send files to a remote computer
  • send gathered information

The trojan can be used to gain full access to the compromised computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.