Follow:

 

PWS:Win32/Fareit


Microsoft security software detects and removes this threat.

This family of trojans steal your sensitive information, such as your website passwords, and sends them to a malicious hacker.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

PWS:Win32/Fareit is usually installed to a particular location by other malware, and runs from that location.

For example, Backdoor:Win32/Cycbot installs it to %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp (for example, %ProgramFiles%\lp\008a\7.tmp).

Rogue:Win32/FakeScanti installs it to %APPDATA%\dwme.exe and%TEMP%\dwme.exe, or %APPDATA%\svhostu.exe and%TEMP%\svhostu.exe.

PWS:Win32/Fareit creates the following registry entry:

In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "<guid>" (for example, {FF72229E-611D-4FD5-A025-00C933DAA429})

It might also store information under the registry value HKCU\Software\WinRAR\Client Hash, or in %TEMP%\Client Hash.

Some variants of this threat delete themselves once they have finished running.

Payload

Steals sensitive information

PWS:Win32/Fareit tries to retrieve stored website passwords from browsers including Chrome, Firefox, Internet Explorer, and Opera.

It also tries to steal stored account information, like server names, port numbers, login IDs and passwords from the following FTP clients or cloud storage programs:

  • 32bit FTP
  • 3D FTP
  • ALFTP
  • BitKinex
  • Blaze FTP
  • BulletProof FTP
  • ClassicFTP
  • Coffee Cup FTP
  • Core FTP
  • CuteFTP
  • Direct FTP
  • Easy FTP
  • ExpanDrive
  • FFFTP
  • FTP++
  • FTP Client
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP Now
  • FTP Rush
  • FTPCommander
  • FTP Voyager
  • Far FTP
  • FileZilla
  • FlashFxp
  • FlingFTP
  • Free FTP
  • Frigate FTP
  • LeapFTP
  • Leech FTP
  • NetDrvie
  • Opus
  • Robo FTP
  • SecureFX
  • SmartFTP
  • Total Commander
  • TurboFTP
  • UltraFXP
  • WS_FTP
  • Web Site Publisher
  • WebDrive
  • WinSCP
  • Windows Commander
  • Wise-FTP by AceBit

It then posts all of this information to a remote server. Examples of the servers it contacts include:

  • 178.17.165.42
  • 178.18.243.211
  • 178.238.228.86
  • 46.108.225.50
  • 46.28.107.13
  • 95.143.35.118
  • bingtobing.com
  • domnewsweetnew12312d.ru
  • fnijatodn.cz.cc
  • fokanal.cz.cc
  • f<removed>kingav.com
  • f<removed>kingavast.com
  • gointopka.com
  • klamur.co.cc
  • onlinetumb.com
  • ourdatatransfers.com
  • piwalyzocyluz.com
  • repo-sys-online.com
  • retrydomain.com
  • safaldi.com
  • sceihfub.cz.cc
  • sumatevebat.com
  • teleinero.com
  • TRANSERSDATAFORME.COM
  • winusing.com

Downloads and runs other malware

Some samples of PWS:Win32/Fareit have been observed downloading an additional file, saving it to the %TEMP% folder, and then running it. At the time of publishing, this file was a variant of PWS:Win32/Zbot.

Analysis by David Wood and Michael Johnson


Symptoms

The following could indicate that you have this threat on your PC:
  • You have these files:

    %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp
    %APPDATA%\dwme.exe and%TEMP%\dwme.exe
    %APPDATA%\svhostu.exe and%TEMP%\svhostu.exe
    %TEMP%\Client Hash

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\WinRAR
    Value: "HWID"

Prevention


Alert level: Severe
First detected by definition: 1.111.1396.0
Latest detected by definition: 1.195.3680.0 and higher
First detected on: Sep 03, 2011
This entry was first published on: Apr 30, 2011
This entry was updated on: Oct 29, 2014

This threat is also detected as:
  • W32/Suspicious_Gen2.LQDGT (Norman)
  • Trojan.Agent2!ChXpWmXSFdU (VirusBuster)
  • Trojan horse PSW.Agent.AMDQ (AVG)
  • TR/Spy.36352.84 (Avira)
  • Trojan.Heur.DP.cCW@ayhvbjo (BitDefender)
  • Trojan.Packed.21594 (Dr.Web)
  • Trojan.Win32.Agent2.dlvm (Kaspersky)
  • Trj/Lukicsel.A (Panda)