TrojanPWS.Fareit.gen is a password stealing Trojan that arrives in users inboxes as an attachment under a variety of names including ’ADP Payroll Invoice for week ending 03/01/2013’. The email has a forged From: address appearing to come from ADP.
The Trojan contains password stealing abilities and after execution it is coded to look to various websites to download additional malicious files.
The sites include: hxxp://02d7xx5.netsolhost.com/vpT0bkB.exe hxxp://ezwebxu.com/j3Hw6DHY.exe hxxp://mariefredxx.se/FJkD.exe
Please Note: Thirtyseven4 Antivirus is up-to-date against this threat and Thirtyseven4 has proactively blocked these targeted domains via our Browser Protection module.
Upon execution, it drops a polymorphic file at the following location: %Appdata%\[randome_folder]\[randomename].exe
Here is an example screenshot:
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
