Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
PWS:Win32/Fareit.gen!I
Aliases: Trojan-PSW.Win32.Tepfer.gyxb (Kaspersky) TR/Spy.ZBot.3435526 (Avira) Trojan.PWS.Stealer.1932 (Dr.Web) Win32/Kryptik.AWNJ (ESET) PWS-Zbot-FANV!20598B1A5E05 (McAfee) Troj/Zbot-DUZ (Sophos) TSPY_ZBOT.SMAM (Trend Micro)
Summary
Windows Defender detects and removes this threat.
This trojan can steal your sensitive information, such as your login and password details, and send them to a malicious hacker. It can also download other malware, including variants of PWS:Win32/Zbot - which can give a malicious hacker control of your PC.
This threat is installed on your PC by other malware.
The following free Microsoft software detects and removes this threat:
- Microsoft Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
Protect your sensitive information
This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:
You should change your passwords after you've removed this threat:
Get more help
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
PWS:Win32/Fareit.gen!I is a password-stealing trojan that is usually dropped and run by other malware.
When run, it modifies the following registry entry:
In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "<GUID>", where GUID is a unique number that identifies your computer, for example "7B06301A-BAB1-4610-99B9-BA3EA1CFFF47".
The trojan uses this registry to store information about itself. It also stores information in the registry subkey "HKCU\Software\WinRAR\Client Hash".
The trojan deletes itself from your PC after it runs but the registry modifications remain.
Payload
Downloads other malware
PWS:Win32/Fareit.gen!I can download and run other malware such as PWS:Win32/Zbot. The malware is downloaded from various servers, including:
- devel.alpharacing.com
- epiplo-soulis.gr
- ftp.lacolazione.fr
- sabi13.com
Steals your user names, passwords and other sensitive information
PWS:Win32/Fareit.gen!I tries to steal account information such as server names, port numbers, user names and passwords. It tries to access this information from the following FTP clients:
- 32bit FTP
- 3D FTP
- AceFTP
- ALFTP
- BitKinex
- Blaze FTP
- BulletProof FTP
- ClassicFTP
- Coffee Cup FTP
- Core FTP
- CuteFTP
- Cyberduck
- DeluxeFTP
- Direct FTP
- Easy FTP
- ExpanDrive
- Far FTP
- FastStone
- FFFTP
- FileZilla
- FlashFxp
- FlingFTP
- FreshFTP
- Frigate FTP
- FTP Client
- FTP Control
- FTP Explorer
- FTP Navigator
- FTP Now
- FTP Rush
- FTP Voyager
- FTP++
- FTPCommander
- FTPGetter
- FTPInfo
- FTPShell
- Global Downloader
- GoFTP
- LeapFTP
- Leech FTP
- LinasFTP
- My FTP
- NetDrvie
- NexusFile
- NovaFTP
- NppFTP
- Opus
- Putty
- Robo FTP
- SecureFX
- SmartFTP
- Staff-FTP
- Total Commander
- TurboFTP
- UltraFXP
- Web Site Publisher
- WebDrive
- Windows Commander
- WinFTP
- WinSCP
- WinZip FTP
- Wise-FTP by AceBit
- WS_FTP
- Xftp
It can retrieve stored website passwords from the Chrome, Firefox, Internet Explorer, and Opera web browsers. It can also steal password information from saved remote desktop connections.
PWS:Win32/Fareit.gen!I tries to steal your email user names and passwords from the following providers:
- BatMail
- IncrediMai
- Outlook
- Pocomail
- RimArts
- Windows Live Mail
- Windows Mail
It tries to guess your user name and password by checking if the password matches one of the following:
000000
|
danielle
|
michelle
mickey microsoft mike monkey mother muffin mustang mustdie mylove myspace1 nathan nicole nintendo none nothing onelove online orange pass passw0rd password1 peace peaches peanut pepper pokemon poop power praise prayer prince princess purple qazwsx qwert qwerty1 rachel rainbow red123 richard robert rotimi samantha sammy samuel saved scooby scooter secret shadow shalom silver single slayer smokey snoopy soccer soccer1 sparky spirit startrek starwars stella summer sunshine superman taylor test testing testtest thomas thunder tigger trinity trustno1 victory viper welcome whatever william windows winner wisdom zxcvbnm |
When your information is collected the trojan sends it to a remote server. Examples of the servers contacted by this trojan include:
- 175.118.124.53
- Midwdermatology.com
- www.bobadamsinc.com
- www.richadamsinc.com
Analysis by Steven Zhou.
Prevention
The following could indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "<GUID>", where GUID is a unique number that identifies your computer, for example "7B06301A-BAB1-4610-99B9-BA3EA1CFFF47".