Win32/Farfli [Threat Name] go to Threat

Win32/Farfli.IR [Threat Variant Name]

Category trojan
Size 99328 B
Detection created Jan 04, 2012
Detection database version 6768
Aliases Backdoor:Win32/Moudoor.A (Microsoft)
  Variant.Barys.1597 (BitDefender)
Short description

Win32/Farfli.IR is a trojan that installs Win32/Farfli.EZ malware.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • C:\­Program Files\­Symantec\­LiveUpdate\­VPTray.exe
  • %system%\­VPTray.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "SymantecLiveUpdate" = "%malwarefilepath%"

The trojan creates the following file:

  • %windir%\­up.bak (59904 B, Win32/Farfli.EZ

The file is then executed.

Other information

The trojan executes the following commands:

  • cmd.exe /c ping localhost -n 2 & del "%originalmalwarefilepath%"

Please enable Javascript to ensure correct displaying of this content and refresh this page.