Win32/Farfli [Threat Name] go to Threat

Win32/Farfli.AFY [Threat Variant Name]

Category trojan
Size 89033 B
Detection created Aug 28, 2013
Signature database version 8738
Aliases Trojan-GameThief.Win32.Magania.twkx (Kaspersky)
  Backdoor:Win32/Zegost.AD (Microsoft)

Win32/Farfli.AFY serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­%variable%.exe

%variable% represents a random text.


The trojan registers itself as a system service using the following name:

  • Ijklmn Pqrstuvw Yab

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Ijklmn Pqrstuvw Yab]
    • "Type" = 272
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­%variable%.exe"
    • "DisplayName" = "Ijklmn Pqrstuvw Yabcdefg Ijkl"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Ijklmnop Rstuvwxya Cdefghi Klmnopqr Tuv"
    • "FailureActions" = %hexvalue%
    • "MakeTime" = "%variable%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Ijklmn Pqrstuvw Yab\­Security]
    • "Security" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_IJKLMN_PQRSTUVW_YAB\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "Ijklmn Pqrstuvw Yab"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_IJKLMN_PQRSTUVW_YAB\­0000]
    • "Service" = "Ijklmn Pqrstuvw Yab"
    • "Legacy" = 1
    • "ConfigFlags = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "Ijklmn Pqrstuvw Yabcdefg Ijkl"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_IJKLMN_PQRSTUVW_YAB]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Ijklmn Pqrstuvw Yab\­Enum]
    • "0" = "Root\­LEGACY_IJKLMN_PQRSTUVW_YAB\­0000"
    • "Count" = 1
    • "NextInstance" = 1

The trojan may create the following files:

  • %windir%\­System32\­MODIf.html
Information stealing

The trojan collects the following information:

  • operating system version
  • memory status
  • CPU information
  • user name
  • list of disk devices and their type
  • number of milliseconds that have elapsed since the system was started
  • network parameters

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The TCP, HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • upload file list
  • create files
  • move files
  • delete files
  • log keystrokes
  • simulate user's input (clicks, taps)
  • simulate mouse activity
  • steal information from the Windows clipboard
  • set clipboard data
  • capture screenshots
  • send the list of running processes to a remote computer
  • terminate running processes
  • start/stop services
  • create user account
  • delete user account
  • create Registry entries
  • delete Registry entries
  • change the proxy server settings
  • perform DoS/DDoS attacks
  • execute shell commands
  • shut down/restart the computer
  • uninstall itself

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­BITS]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Setup]
    • "MotherFucker"

Please enable Javascript to ensure correct displaying of this content and refresh this page.