Win32/Farfli [Threat Name] go to Threat
Win32/Farfli.BGG [Threat Variant Name]
| Category | trojan |
| Size | 278528 B |
| Aliases | Trojan.Win32.Scar.qnyq (Kaspersky) |
| BackDoor.PcClient.6595 (Dr.Web) | |
| TrojanDownloader:Win32/Farfli.L!bit (Microsoft) |
Short description
Win32/Farfli.BGG serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %systemroot%\Terms.EXE.exe
The trojan registers itself as a system service using the following name:
- $SuperProServer
This causes the trojan to be executed on every system start.
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SuperProServer]
- "ConnectGroup" = "默认分组"
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SuperProServer]
- "DeleteFiles" = "%originalmalwarefilepath%"
- "Description" = "监测和监视新硬件设备并自动更新设备驱动。"
- "MarkTime" = "%datetime%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "SuperProServer" = "%systemroot%\Terms.EXE.exe"
Information stealing
Win32/Farfli.BGG is a trojan that steals sensitive information.
The trojan is able to log keystrokes.
The following information is collected:
- operating system version
- computer IP address
- amount of operating memory
- installed antivirus software
- logged keystrokes
- network adapter information
- computer name
- CPU information
The trojan attempts to send gathered information to a remote machine. The TCP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The TCP protocol is used.
It can execute the following operations:
- update itself to a newer version
- set file attributes
- send the list of running processes to a remote computer
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- remove itself from the infected computer
- open a specific URL address
- copy files
- move files
- run executable files
- download files from a remote computer and/or the Internet
- terminate running processes
- play sound/video
- delete folders
- delete files
- delete cookies
- delete Registry entries
- create folders
- capture screenshots
- create Registry entries
- shut down/restart the computer
- manipulate application windows
- show/hide application windows
- display a dialog window
- send open TCP and UDP port numbers to a remote computer
- execute shell commands
- log off the current user
- simulate user's input (clicks, taps)
- watch the user's screen content
- delete user account
- create user account
- uninstall itself
- make operating system unbootable
- start/stop services
- various Registry operations
- perform DoS/DDoS attacks
- turn the display off
- open the CD/DVD drive
- swap mouse buttons
- send list of installed applications
- log keystrokes
- capture webcam video/voice
- sending various information about the infected computer
- send files to a remote computer
- send gathered information
The trojan can be used to gain full access to the compromised computer.