Trojan.Win32.Fareit

General Explanation

Type: Trojan

Degree of destruction: high

Prevalence: High

Names of the malware:

  • Trojan.Win32.Fareit
  • Trojan-PSW.Win32.Fareit

What is a Trojan?

Trojans are types of malware that reveal themselves as legal and healthy software and act most like applicable and useful software, but when they execute, cases so many destructions for the system. The downloaded software from the internet, placed in the text of HTML, being attached to an email, etc. are ways for Trojans to enter the system. Trojans contrary to computer viruses and worms are not capable of reproduction.

What is Fareit malware?

Fareit is a Trojan which used to steal users’ data such as websites’ passwords and distribute different types of other malware. Fareit has a noticeable history of distributing malware and mostly it is a data theft and malware downloader.

This malware attempts to steal stored passwords of websites through browsers such as Firefox, Chrome, Internet Explorer, and Opera. Also, in an attempt to steal a user’s account data such as servers name, port numbers, signatures, and passwords from the following listed FTP clients or by cloud storing applications.

Technical Explanation

Signs of infection

In most cases, the observed items of the Fareit malware have been written by VisualBasic.

Fareit is distributed through fake emails, and as soon as execution, creates another process with the same name and starts writing inside the new process that process proceeds to steal user’s data.

Creating the second process is the only function of the first process.

In some examples of this file, the bat file will be created in the %temp% path and by executing this bat file, after executing the malware, the main file of the malware will be removed from the system, and then the bat file proceeds to remove its file.

In the types where the malware file is not removed from the system, it will set a permanence for itself in the following registry path.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Some kinds of Fareit examples proceed to download other files, store them in the %temp% path, and then execute them.

In some kinds of Fareit examples, the displayname information will send the uninsttallstring of the whole registry keys  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall to http://aseforum.ro address. (this information is to be informed of installed software on the victim’s system).

Then by use of three passwords: “SUPPORT_388945a0”, “Guest”, and “HelpAssistant” will active users with these names on the local computer and will put themselves in the place of these users and execute the download files in their system.

The mentioned addresses will change in time and different examples of malware.

How to deal with it and disinfect the system

Padvish Antivirus will detect and disinfect this malware. To prevent entering these types of malware into your system it is recommended to avoid clicking on suspicious links and scan all files attached to the email before execution. Also always keep your OS and antivirus up to date, if possible.

 

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>