Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Farfli.AA

Aliases:Trojan.Win32.Pincav.hby (Kaspersky), Trojan:Win32/Malagent (Microsoft), BackDoor-EKX trojan (McAfee) 
Type of infiltration:Trojan  
Size:108283 B 
Affected platforms:Microsoft Windows 
Signature database version:4766 (20100113) 

Short description

Win32/Farfli.AA installs a backdoor that can be controlled remotely.

Installation

The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Svchostnetsvcs]
It avoids files which contain any of the following strings in their path:
  • 6to4
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Start" = %variable1%
    "Type" = %variable2%
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%Enum]
    "0" = "RootLEGACY_%servicename%000"
    "Count" = %variable3%
    "NextInstance" = %variable4%
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Start" = %variable1%
    "Type" = %variable2%
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%Enum]
    "0" = "RootLEGACY_%servicename%000"
    "Count" = %variable3%
    "NextInstance" = %variable4%
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_%servicename%]
    "NextInstance" = %variable5%
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_%servicename%000]
    "Service" = "%servicename%"
    "Legacy" = %variable6%
    "ConfigFlags" = %variable7%
    "Clas" = "%variable8%"
    "ClassGuid" = "%variable9%"
    "DeviceDesc" = "%variable10%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRoot
    LEGACY_%servicename%000Control]
    "*NewlyCreated*" = %variable11%
    "ActiveService" = "%servicename%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%Parameters]
    "ServiceDll" = "%originalservicepath%"
    "paramet" = "%originalservicepath%"
A string with variable content is used instead of %variable1-11%.

This causes the trojan to be executed on every system start.

The trojan creates and runs a new thread with its own program code within the following processes:
  • winlogon.exe
The trojan creates copies of the following files (source, destination):
  • %originalservicepath%, %originalservicepath%.lang
  • %originalservicepath%, %system%dllcache%originalservicefilename%
The trojan creates the following files:
  • %temp%%random%_res.tmp
  • %system%syslog.dat
  • %system%1.txt.lang
  • %originalservicepath%_lang.ini
The trojan may create copies of the following files (source, destination):
  • %system%1.txt, %system%1.txt.lang
  • %systemdrive%1.txt , %system%dllcache1.txt
  • %temp%%random%_res.tmp, %originalservicepath%
A string with variable content is used instead of %random%.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The TCP protocol is used.

It can execute the following operations:
  • update itself to a newer version
  • set file attributes
  • send the list of running processes to a remote computer
  • send the list of disk devices and their type to a remote computer
  • remove itself from the infected computer
  • open a specific URL address
  • update itself to a newer version
  • set file attributes
  • send the list of running processes to a remote computer
  • send the list of disk devices and their type to a remote computer
  • remove itself from the infected computer
  • open a specific URL address
  • move files
  • run executable files
  • download files from a remote computer and/or the Internet
  • terminate running processes
  • delete folders
  • delete files
  • delete Registry entries
  • create folders
  • capture screenshots
  • create Registry entries
  • shut down/restart the computer
  • log keystrokes
  • capture webcam video/voice
  • sending various information about the infected computer
  • send files to a remote computer
The following information is collected:
  • informácie sieťového adaptéra
  • computer name
  • memory status
  • CPU information
  • Internet Explorer version
The trojan can send the information to a remote machine.

The following services are disabled:
  • Windows File Protection