Installation
PWS:Win32/Fareit.gen!I is a password-stealing trojan that is usually dropped and run by other malware.
When run, it modifies the following registry entry:
In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "<GUID>", where GUID is a unique number that identifies your computer, for example "7B06301A-BAB1-4610-99B9-BA3EA1CFFF47".
The trojan uses this registry to store information about itself. It also stores information in the registry subkey "HKCU\Software\WinRAR\Client Hash".
The trojan deletes itself from your PC after it runs but the registry modifications remain.
Payload
Downloads other malware
PWS:Win32/Fareit.gen!I can download and run other malware such as PWS:Win32/Zbot. The malware is downloaded from various servers, including:
- devel.alpharacing.com
- epiplo-soulis.gr
- ftp.lacolazione.fr
- sabi13.com
Steals your user names, passwords and other sensitive information
PWS:Win32/Fareit.gen!I tries to steal account information such as server names, port numbers, user names and passwords. It tries to access this information from the following FTP clients:
- 32bit FTP
- 3D FTP
- AceFTP
- ALFTP
- BitKinex
- Blaze FTP
- BulletProof FTP
- ClassicFTP
- Coffee Cup FTP
- Core FTP
- CuteFTP
- Cyberduck
- DeluxeFTP
- Direct FTP
- Easy FTP
- ExpanDrive
- Far FTP
- FastStone
- FFFTP
- FileZilla
- FlashFxp
- FlingFTP
- FreshFTP
- Frigate FTP
- FTP Client
- FTP Control
- FTP Explorer
- FTP Navigator
- FTP Now
- FTP Rush
- FTP Voyager
- FTP++
- FTPCommander
- FTPGetter
- FTPInfo
- FTPShell
- Global Downloader
- GoFTP
- LeapFTP
- Leech FTP
- LinasFTP
- My FTP
- NetDrvie
- NexusFile
- NovaFTP
- NppFTP
- Opus
- Putty
- Robo FTP
- SecureFX
- SmartFTP
- Staff-FTP
- Total Commander
- TurboFTP
- UltraFXP
- Web Site Publisher
- WebDrive
- Windows Commander
- WinFTP
- WinSCP
- WinZip FTP
- Wise-FTP by AceBit
- WS_FTP
- Xftp
It can retrieve stored website passwords from the Chrome, Firefox, Internet Explorer, and Opera web browsers. It can also steal password information from saved remote desktop connections.
PWS:Win32/Fareit.gen!I tries to steal your email user names and passwords from the following providers:
- BatMail
- IncrediMai
- Outlook
- Pocomail
- RimArts
- Windows Live Mail
- Windows Mail
It tries to guess your user name and password by checking if the password matches one of the following:
|
000000
1
1111
11111
111111
11111111
112233
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
1234567890
123abc
123qwe
1q2w3e
1q2w3e4r
222222
55555
654321
666666
7777
7777777
Ashley
Charlie
Chelsea
Jessica
Jesus
Joshua
Password
Phpbb
Qwerty
a
aaaaaa
abc123
adidas
admin
amanda
andrew
angel
angel1
angels
anthony
apple
asdf
asdfasdf
asdfgh
asshole
austin
baby
bailey
banana
bandit
baseball
batman
benjamin
billgates
biteme
blabla
blahblah
blessed
blessing
blink182
bubbles
buster
canada
cassie
cheese
chicken
chris
christ
church
cocacola
compaq
computer
cookie
cool
corvette
creative
dakota
dallas
daniel
|
danielle
david
destiny
dexter
diamond
digital
dragon
eminem
emmanuel
enter
faith
flower
foobar
football
football1
forever
forum
freedom
friend
friends
fuckoff
fuckyou
fuckyou1
gates
gateway
genesis
george
gfhjkm
ghbdtn
ginger
god
google
grace
green
guitar
hahaha
hallo
hannah
happy
hardcore
harley
heaven
hello
hello1
helpme
hockey
hope
hotdog
hunter
ilovegod
iloveyou
iloveyou!
iloveyou1
iloveyou2
internet
james
jasmine
jason
jasper
jennifer
jesus1
john
john316
jordan
jordan23
joseph
junior
justin
killer
kitten
knight
letmein
london
looking
love
lovely
loving
lucky
maggie
master
matrix
matthew
maverick
maxwell
merlin
michael
|
michelle
mickey
microsoft
mike
monkey
mother
muffin
mustang
mustdie
mylove
myspace1
nathan
nicole
nintendo
none
nothing
onelove
online
orange
pass
passw0rd
password1
peace
peaches
peanut
pepper
pokemon
poop
power
praise
prayer
prince
princess
purple
qazwsx
qwert
qwerty1
rachel
rainbow
red123
richard
robert
rotimi
samantha
sammy
samuel
saved
scooby
scooter
secret
shadow
shalom
silver
single
slayer
smokey
snoopy
soccer
soccer1
sparky
spirit
startrek
starwars
stella
summer
sunshine
superman
taylor
test
testing
testtest
thomas
thunder
tigger
trinity
trustno1
victory
viper
welcome
whatever
william
windows
winner
wisdom
zxcvbnm |
When your information is collected the trojan sends it to a remote server. Examples of the servers contacted by this trojan include:
- 175.118.124.53
- Midwdermatology.com
- www.bobadamsinc.com
- www.richadamsinc.com
Analysis by Steven Zhou.
