Follow:

 

Win32/Fareit


Microsoft security software detects and removes this threat.

TheWin32/Fareit malware family has many components, inlcuding a password stealing component, PWS:Win32/Fareit, that steals sensitive information from your PC and sends it to a hacker.

There is also a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that can be used against other servers.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

 

Protect your email accounts

 

This threat tries to hack your email accounts.

 

 

You should change your passwords after you've removed this threat:

 

 

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat might be installed by other malware.

PWS:Win32/Fareit is usually installed to a particular location by other malware, then run from this location.

For example, Backdoor:Win32/Cycbot installs it to %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp (like %ProgramFiles%\lp\008a\7.tmp), while Rogue:Win32/FakeScanti installs it to %AppData%\dwme.exe and %temp%\dwme.exe, or %AppData%\svhostu.exe and %temp%\svhostu.exe.

DDoS:Win32/Fareit.gen!A stops previous versions of itself that might already be running, then it copies itself to %AppData%\pny\pnd.exe.

It creates the following registry entry to ensure that this copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft PnD"
With data: "%AppData%\pny\pnd.exe"

It then runs the new copy.

Both components create a registry entry like the following:

In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "<unique identifier>" (for example, {D9CD7060-83A2-46D0-8CEA-5EDF6043EEC7})

Some variants of PWS:Win32/Fareit delete themselves once they have finished running.

Payload

Steals sensitive information

PWS:Win32/Fareit tries to steal stored website passwords from different browsers including Chrome, Firefox, Internet Explorer, and Opera.

It also tries to steal stored account information, like server names, port numbers, login IDs and passwords from these FTP clients or cloud storage programs if these are installed:

  • 32bit FTP
  • 3D-FTP
  • AceFTP
  • ALFTP
  • Becky!
  • BitKinex
  • BlazeFTP
  • Bromium (Yandex Chrome)
  • BulletProof FTP
  • ChromePlus
  • Chromium
  • ClassicFTP
  • CoffeeCup FTP
  • CoffeeCup Sitemapper (CoffeeCup FTP)
  • CoffeeCup Visual Site Designer
  • Comodo Dragon
  • CoolNovo
  • CoreFTP
  • CuteFTP
  • Cyberduck
  • DeluxeFTP
  • DirectFTP (FreeFTP)
  • Directory Opus
  • Dreamweaver
  • Easy FTP
  • Epic
  • ExpanDrive
  • FAR Manager
  • FastStone Browser
  • FastTrackFTP
  • FFFTP
  • FileZilla
  • Firefox
  • FireFTP
  • FlashFXP
  • Fling
  • Flock
  • FreeFTP
  • FreshFTP
  • Frigate3 FTP
  • FTP Commander
  • FTP Control
  • FTP Explorer
  • FTP Now
  • FTP Surfer
  • FTP Voyager
  • FTPGetter
  • FTPInfo
  • FTPRush
  • FTPShell
  • Global Downloader
  • GoFTP
  • Google Chrome
  • IncrediMail
  • Internet Explorer
  • K-Meleon
  • LeapFTP
  • LeechFTP
  • LinasFTP
  • Mozilla Suite Browser
  • MyFTP
  • NetDrive
  • NETFile
  • NexusFile
  • Nichrome
  • Notepad++ (NppFTP)
  • NovaFTP
  • Odin Secure FTP Expert
  • Opera
  • Outlook
  • Pocomail
  • Putty
  • Robo-FTP
  • RockMelt
  • SeaMonkey
  • SecureFX
  • sherrod FTP
  • SmartFTP
  • SoftX
  • SRWare Iron (Chromium)
  • Staff-FTP
  • The Bat!
  • Thunderbird
  • Total Commander
  • TurboFTP
  • UltraFXP
  • WebDrive
  • WebSitePublisher
  • Windows Live Mail
  • Windows Mail
  • WinFTP
  • WinSCP
  • WinZip
  • WiseFTP
  • WS_FTP
  • Xftp
  • Yandex.Internet

It then posts all of this information to a remote server. Examples of servers contacted by this threat include:

  • 178<removed>7.165.42
  • 178<removed>8.243.211
  • 178<removed>38.228.86
  • 46.<removed>8.225.50
  • 46.<removed>.107.13
  • 95.<removed>3.35.118
  • bin<removed>obing.com
  • dom<removed>wsweetnew12312d.ru
  • fni<removed>todn.cz.cc
  • fok<removed>al.cz.cc
  • fuc<removed>ngav.com
  • fuc<removed>ngavast.com
  • goi<removed>opka.com
  • kla<removed>r.co.cc
  • onl<removed>etumb.com
  • our<removed>tatransfers.com
  • piw<removed>yzocyluz.com
  • rep<removed>sys-online.com
  • ret<removed>domain.com
  • saf<removed>di.com
  • sce<removed>fub.cz.cc
  • sum<removed>evebat.com
  • tel<removed>nero.com
  • tra<removed>ersdataforme.com
  • win<removed>ing.com

Participates in DDoS attacks

DDoS:Win32/Fareit.gen!A contacts a command and control server, which is controlled by a hacker. From this server, it asks your infected PC to participate in DDoS attacks against other servers of its choosing. It then floods the attacked server with multiple HTTP GET or POST requests. It changes the headers of the requests so that each appears to come from a unique referrer (the webpage that the request appears to be linked from), and from multiple web browser versions and languages. This makes these requests more difficult for the attacked server to filter out.

Examples of command and control servers used at the time of this writing include the following:

  • 176.<removed>.112.90
  • 176.<removed>.112.95
  • 178.<removed>.166.154
  • 2220<removed>966122.ru
  • drea<removed>milos4.ru

For more information, please see the description for DDoS:Win32/Fareit.gen!A elsewhere in the encyclopedia.

Downloads and runs files

Some samples of PWS:Win32/Fareit have been observed downloading an additional file, saving it to the %TEMP% folder, and then running it. At the time of writing, these files were variants of PWS:Win32/Zbot.

If a new version of DDoS:Win32/Fareit.gen!A is available, its command and control server may provide a copy of the updated file. This file is then saved to the %TEMP% folder and run.

Analysis by David Wood


Symptoms

The following could indicate that you have this threat on your PC:
  • You have these files:

    %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp
    %AppData%\dwme.exe
    %TEMP%\dwme.exe
    %AppData%\svhostu.exe
    %TEMP%\svhostu.exe
    %AppData%\pny\pnd.exe
  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Value: "Microsoft PnD"
    Data: %AppData%\pny\pnd.exe

    In subkey: HKCU\Software\WinRAR
    Value: "HWID"
    Data: <unique identifier> (for example, {D9CD7060-83A2-46D0-8CEA-5EDF6043EEC7})


Prevention


Alert level: Severe
This entry was first published on: Feb 13, 2012
This entry was updated on: Sep 02, 2014

This threat is also detected as:
No known aliases