Fareit Trojan drops multiple malware families

April 21, 2014

The Dell Sonicwall Threats Research team has discovered a variant of the Fareit info stealer Trojan that also drops malware from many different families. The malware appears to be aimed at UK users and spreads via email messages containing the malware attachment. The malware that is dropped can vary between runs. We have observed families such as the Necurs rootkit, Zbot and even Cryptolocker being dropped on the system.

Infection Cycle:

The email contains a zip and html attachment. The html attachment contains the following false information:

The Trojan uses the following icon to masquerade as a harmless PDF file:

The Trojan makes the following DNS queries:


The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempAGF8BF7.bat
  • %USERPROFILE%Local SettingsTempGGKD92B.bat
  • %USERPROFILE%Local SettingsTempIHK1550.bat
  • %USERPROFILE%Local SettingsTempQLK2113.bat
  • %USERPROFILE%Local SettingsTempQSC684E.bat
  • %USERPROFILE%Local SettingsTempUWS7AA7.bat
  • %USERPROFILE%Local SettingsTempSmfcrnejnyattfrpdr.exe [Detected as GAV: Blocker.EKIY (Trojan)]
  • %USERPROFILE%Local SettingsTemp195671.exe [Detected as GAV: Zbot.GOV (Trojan)]
  • %USERPROFILE%Local SettingsTempJeitpyjyyk.exe [Detected as GAV: Zbot.GOV (Trojan)]
  • %SYSTEM32%driversac170656677d7ac.sys (rootkit) [Detected as GAV: Necurs.BDE (Trojan)]

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A4B7000 Service "2a4b7"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A4B7000 DeviceDesc "pyjyyk.exe"
  • HKEY_USERSS-1-5-21-448539723-1682526488-839522115-1003SoftwareMicrosoftWindowsCurrentVersionRun Pyjyyk ""%USERPROFILE%Local SettingsTempJeitpyjyyk.exe""

The .bat files contain the following script to clean up traces of the infection:

      @echo off
      del /F /Q /A RSHAIL "%USERPROFILE%Local SettingsTemp195671.exe" >nul
      if exist "%USERPROFILE%Local SettingsTemp195671.exe" goto xoyjpusy

ac170656677d7ac.sys is a known rootkit that serves to make the malware files hard to delete. It also prevents the victim from terminating the malware process.

The Trojan downloads file.ecr, renames it to pyjyyk.exe and runs it:

Smfcrnejnyattfrpdr.exe uses the following icon and was observed scanning for samba shares on the network:

The Trojan injects code into firefox.exe (if installed) and causes it to scan files for FTP server credentials. Below is a sample of the files and directories being scanned:

      %USERPROFILE%Application Datadesktop.ini
      %USERPROFILE%Local SettingsApplication DataMozillaFirefoxProfiles
      %USERPROFILE%Application Dataeqqi.udo.dat
      %USERPROFILE%Local SettingsApplication DataFlashFXP3Sites.dat
      %USERPROFILE%Application DataGlobalSCAPECuteFTPsm.dat
      %USERPROFILE%Application DataGlobalSCAPECuteFTP Prosm.dat
      %USERPROFILE%Application DataGlobalSCAPECuteFTP Litesm.dat
      %USERPROFILE%Local SettingsApplication DataFileZillafilezilla.xml
      %USERPROFILE%Local SettingsApplication DataCuteFTPsm.dat

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Fareit.A_136 (Trojan)
  • GAV: Blocker.EKIY (Trojan)
  • GAV: Zbot.GOV (Trojan)
  • GAV: Necurs.BDE (Trojan)