TrojanPWS.Fareit.I is a password stealing Trojan that arrives in users inboxes as an email pretending to be a notification from the UPS Logistics Department regarding a package pickup. The email contains an attachment under a variety of names including ’Label_[random numbers].zip’. The email has a forged From: address appearing to come from UPS.
The Trojan contains password stealing abilities and after execution it is coded to look to various websites to download additional malicious files.
The sites include: hxxp://aseforum.ro:8080/ponyb/gate.php hxxp://23.localizetoday.com/ponyb/gate.php hxxp://23.localizetoday.net/ponyb/gate.php hxxp://23.mrelectricdenver.com/ponyb/gate.php hxxp://www.rueba.com/eXkdB.exe hxxp://cancunie.com/fbJAXM9s.exe hxxp://nikosst.com/yttur.exe
Please Note: Thirtyseven4 Antivirus is up-to-date against this threat and Thirtyseven4 has proactively blocked these targeted domains via our Browser Protection module.
Upon execution, it drops a polymorphic file at the following location: %Appdata%\[randome_folder]\[randomename].exe
Here is an example screenshot:
“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4
