Threat Encyclopedia

W32/FareitVB.M!tr

description-logoAnalysis



W32/FareitVB.M!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/FareitVB.M!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • undefinedAppDataundefined\[OriginalMalware].exe : This file is detected as W32/FareitVB.M!tr.
    • undefinedAppDataundefined\install\rilc.exe : This file is a copy of the original malware itself.
    • undefinedAppDataundefined\subfolder\filename.exe This file is detected as W32/FareitVB.M!tr.
    • undefinedAppDataundefined\dfvxfv\gcg.exe : This file is detected as W32/FareitVB.M!tr.
    • undefinedAppDataundefined\mixcver\vsdme.exe : This file is detected as W32/FareitVB.DSJG!tr.
    • undefinedStartUpundefined\filename.vbe : This VBS script serves as an autostart for filename.exe.
    • undefinedStartUpundefined\gcg.vbe : This VBS script serves as an autostart for gcg.exe.
    • undefinedStartUpundefined\vsdme.vbe : This VBS script serves as an autostart for vsdme.exe.
    • undefinedTempundefined\-.exe : This file is detected as W32/Injector.DSJQ!tr.
    • undefinedTempundefined\96656.bat : This file is detected as BAT/Small.NAN!tr.
    • undefinedTempundefined\ali1st-cr.exe : This file is detected as W32/FareitVB.DSJA!tr.
    • undefinedUserundefined\ScreenShot\screen.jpg : This file is a screenshot of the hosts desktop.

  • This malware may connect to any of the following remote sites(s):
    • shaboca{Removed}.com.md-90.webhostbox.net
    • infocolornid{Removed}.publicvm.com
    • alsharfigrou{Removed}.com

  • Some instances of this this malware may apply the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • Qilp = undefinedAppDataundefined\install\rilc.exe
      This automatically executes the dropped file every time the infected user logs on.

  • Some instances of this malware has information theft capability, sending hosts machine name and time and even current screenshot to alsharfigrou{Removed}.com.

  • The original copy of the malware may be deleted after execution.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry