Threat Encyclopedia

W32/FareitVB.M!tr

Analysis

W32/FareitVB.M!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/FareitVB.M!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
• undefinedAppDataundefined\[OriginalMalware].exe : This file is detected as W32/FareitVB.M!tr.
• undefinedAppDataundefined\install\rilc.exe : This file is a copy of the original malware itself.
• undefinedAppDataundefined\subfolder\filename.exe This file is detected as W32/FareitVB.M!tr.
• undefinedAppDataundefined\dfvxfv\gcg.exe : This file is detected as W32/FareitVB.M!tr.
• undefinedAppDataundefined\mixcver\vsdme.exe : This file is detected as W32/FareitVB.DSJG!tr.
• undefinedStartUpundefined\filename.vbe : This VBS script serves as an autostart for filename.exe.
• undefinedStartUpundefined\gcg.vbe : This VBS script serves as an autostart for gcg.exe.
• undefinedStartUpundefined\vsdme.vbe : This VBS script serves as an autostart for vsdme.exe.
• undefinedTempundefined\-.exe : This file is detected as W32/Injector.DSJQ!tr.
• undefinedTempundefined\96656.bat : This file is detected as BAT/Small.NAN!tr.
• undefinedTempundefined\ali1st-cr.exe : This file is detected as W32/FareitVB.DSJA!tr.
• undefinedUserundefined\ScreenShot\screen.jpg : This file is a screenshot of the hosts desktop.

• This malware may connect to any of the following remote sites(s):
• shaboca{Removed}.com.md-90.webhostbox.net
• infocolornid{Removed}.publicvm.com
• alsharfigrou{Removed}.com

• Some instances of this this malware may apply the following registry modification(s):
• HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
• Qilp = undefinedAppDataundefined\install\rilc.exe
This automatically executes the dropped file every time the infected user logs on.

• Some instances of this malware has information theft capability, sending hosts machine name and time and even current screenshot to alsharfigrou{Removed}.com.

• The original copy of the malware may be deleted after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.