virus logo Virus

W32/FareitVB.M!tr

description-logoAnalysis
W32/FareitVB.M!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/FareitVB.M!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • undefinedAppDataundefined\[OriginalMalware].exe : This file is detected as W32/FareitVB.M!tr.
    • undefinedAppDataundefined\install\rilc.exe : This file is a copy of the original malware itself.
    • undefinedAppDataundefined\subfolder\filename.exe This file is detected as W32/FareitVB.M!tr.
    • undefinedAppDataundefined\dfvxfv\gcg.exe : This file is detected as W32/FareitVB.M!tr.
    • undefinedAppDataundefined\mixcver\vsdme.exe : This file is detected as W32/FareitVB.DSJG!tr.
    • undefinedStartUpundefined\filename.vbe : This VBS script serves as an autostart for filename.exe.
    • undefinedStartUpundefined\gcg.vbe : This VBS script serves as an autostart for gcg.exe.
    • undefinedStartUpundefined\vsdme.vbe : This VBS script serves as an autostart for vsdme.exe.
    • undefinedTempundefined\-.exe : This file is detected as W32/Injector.DSJQ!tr.
    • undefinedTempundefined\96656.bat : This file is detected as BAT/Small.NAN!tr.
    • undefinedTempundefined\ali1st-cr.exe : This file is detected as W32/FareitVB.DSJA!tr.
    • undefinedUserundefined\ScreenShot\screen.jpg : This file is a screenshot of the hosts desktop.

  • This malware may connect to any of the following remote sites(s):
    • shaboca{Removed}.com.md-90.webhostbox.net
    • infocolornid{Removed}.publicvm.com
    • alsharfigrou{Removed}.com

  • Some instances of this this malware may apply the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • Qilp = undefinedAppDataundefined\install\rilc.exe
      This automatically executes the dropped file every time the infected user logs on.

  • Some instances of this malware has information theft capability, sending hosts machine name and time and even current screenshot to alsharfigrou{Removed}.com.

  • The original copy of the malware may be deleted after execution.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2021-11-09 89.06714
2021-10-26 89.06291
2021-08-22 88.00567
2021-08-18 88.00469
2021-08-18 88.00466
2021-08-12 88.00316
2021-07-20 87.00765
2021-07-06 87.00429
2021-06-29 87.00261
2021-06-15 86.00934
ID 7345291
Released Mar 27, 2017
Description
Updated		 Oct 12, 2017
Aliases W32/GenKryptik.AZQT!tr, Trojan-Spy.Win32.Noon.ccv, TSPY_HPFAREIT.SM, Mal/FareitVB-M, Win32/Injector.DSMK trojan, Trojan.Win32.VBKrypt.yegf, Win32/Injector.DSJG trojan, Trojan.Win32.VBKrypt.yegm, MSIL/NanoCore.K trojan, Packed-MI!66B9E339A99E trojan, Win32/
Platform Profile Win32 file format / PE 32 bit