Name:

TrojanPWS.Fareit.F1

Descr. Added:

June 11, 2013

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

TrojanPWS.Fareit.F1 is a password stealing Trojan that arrives in users inboxes as an email pretending to be documents sent from Wells Fargo.  The email contains an attachment under a variety of names including ’WellsFargo.[username].zip’. The email has a forged From: address appearing to come from Wells Fargo.

Here is an example screenshot:




The Trojan contains password stealing abilities and after execution it is coded to look to various websites to download additional malicious files. 

The sites include:
hxxp://www.quicxxkadworld.com/8ScpdjuC.exe
hxxp://www.kgxxsindia.in/TzodD.exe
hxxp://taxi-kaxxtakolo.com/qMG.exe
hxxp://SendTexxxxtADS.info/dXpwPz8.exe
hxxp://208.112.14.44/XfAxxaGivK.exe

Upon execution, it drops a polymorphic file at the following locations:

%AllUsersProfile%\Application Data\acab1f\GRaca_10128.exe
%UserProfile%\Application Data\Optimizer.exe
%UserProfile%\Application Data\Sebylo\ikko.exe [poly sample]
%UserProfile%\Application Data\WMPRWISE.EXE
%UserProfile%\4z44.exe
%UserProfile%\runme.exe

It also drops the following files:

C:\RECYCLER\S-1-5-21-1229272821-1364589140-682003330-1003\$006d0e63346c403e4ef69bf3c89acc84\n
C:\RECYCLER\S-1-5-18\\$006d0e63346c403e4ef69bf3c89acc84\n


Thirtyseven4 has built-in generic detection for "\n" file that gets loaded in memory as
"Trojan:Win32/Sirefef.AZ through its memory scan module.

Please Note: Thirtyseven4 Antivirus is up-to-date against this threat and Thirtyseven4 has proactively blocked these targeted domains (listed above) via our Browser Protection module.