TrojanPWS.Fareit.E is a password stealing Trojan that arrives in users inboxes as an email pretending to be Secure Message sent from Wells Fargo. The email contains an attachment under a variety of names including ’SecureMessage.zip’. The email has a forged From: address appearing to come from Wells Fargo.
The Trojan contains password stealing abilities and after execution it is coded to look to various websites to download additional malicious files.
The sites include: hxxp://azadcollege.com/BxxrY5p.exe hxxp://ryulawgroup.com/Gxxw1.exe
Please Note: Thirtyseven4 Antivirus is up-to-date against this threat and Thirtyseven4 has proactively blocked these targeted domains via our Browser Protection module.
Upon execution, it drops a polymorphic file at the following location: %Appdata%\[randome_folder]\[randomename].exe
Here is an example screenshot:
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
