Win32/PSW.Fareit [Threat Name] go to Threat
Win32/PSW.Fareit.A [Threat Variant Name]
| Category | trojan |
| Size | 130048 B |
| Aliases | PWS:Win32/Fareit (Microsoft) |
| PWS-Zbot.gen.arb.trojan (McAfee) | |
| TR/PSW.Fareit.465 (Avira) |
Short description
Win32/PSW.Fareit.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.
Installation
The trojan does not create any copies of itself.
The following Registry entry is set:
- [HKEY_CURRENT_USER\SOFTWARE\WinRAR]
- "HWID" = %data%
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\WinRAR]
- %variable1% = "true"
The trojan creates the following file:
- %temp%\%variable2%.bat
The file is then executed.
A string with variable content is used instead of %variable1-2% .
Information stealing
Win32/PSW.Fareit.A is a trojan that steals passwords and other sensitive information.
The trojan collects the following information:
- login user names for certain applications/services
- login passwords for certain applications/services
- FTP account information
- operating system version
- information about the operating system and system settings
The following programs are affected:
- 32bit FTP
- 3D-FTP
- AceFTP
- Adobe suite
- ALFTP
- Bat! Email Client
- Becky! Internet Mail
- BitKinex
- BlazeFTP
- Bromium
- Bullet Proof FTP
- Chrome
- ChromePlus
- Chromium
- Classic FTP
- CoffeCup Software
- Comodo
- CoolNovo
- Core FTP
- CuteFTP
- Cyberduck
- DeluxeFTP
- Direct FTP
- Directory Opus
- Easy FTP
- Epic Browser
- ExpanDrive
- Far Manager
- FastStone Browser
- FastTrack
- FFFTP
- FileZilla
- FlashFXP
- Fling FTP Software
- Free FTP (by CoffeeCup)
- Fresh FTP
- Frigate3
- FTP Commander
- FTP Control
- FTP Explorer
- FTP Navigator
- FTP Now
- FTP Rush
- FTP Surfer
- FTP Voyager
- FTP++
- FTPGetter
- FtpInfo
- FTPShell
- Global Downloader
- GoFTP
- IncrediMail
- Internet Explorer
- IpSwitch WS_FTP
- K-Meleon
- LeapFTP
- LeechFTP
- LinasFTP
- Microsoft Outlook
- Mozilla Firefox
- Mozilla Flock
- Mozilla SeaMonkey
- Mozilla Thunderbird
- My FTP
- NetDrive
- NexusFile
- Nichrome
- Notepad++
- Nova FTP
- Odin Secure FTP Expert
- Opera
- PocoMail
- PuTTy
- Robo-FTP
- RockMelt
- SecureFX
- SmartFTP
- SoftX FTP CLient
- Staff-FTP
- Terminal Server
- Total Commander
- TurboFTP
- UltraFXP
- Web Site Publisher
- WebDrive
- Windows Commander
- Windows Live Mail
- Windows Mail
- WinFTP
- WinSCP
- WinZip
- WISE-FTP
- Xftp
- Yandex
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan contains a list of (5) URLs.
It tries to download several files from the addresses.
These are stored in the following locations:
- %temp%\%variable3%.exe
The files are then executed. The HTTP protocol is used.
A string with variable content is used instead of %variable3% .
The trojan removes itself from the computer.