W32/Fareit.CGB!tr

Analysis

W32/Fareit.CGB!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Fareit.CGB!tr may have varying behaviour.
Below are examples of some of these behaviours:

• It drops the following files:
• undefinedAppDataundefined\ASound.exe : This file is a copy of the malware.
• undefinedStartUpundefined\ABsound.exe : This file is a copy of the malware.
• undefinedAppDataundefined\[Random]\[Random].exe : Depending on the original malware, this file can be either the moved file of undefinedSystemRootundefined\system32\svchost.exe (Service host) from the affected host or another copy of the malware itself.
• undefinedAppDataundefined\[Random]\[Random].hdb : This is a four-byte non-malicious data file or another copy of the malware itself.


• The following registry modifications are applied:
  
  • HKCU\Software\Microsoft\Windows\Currentversion\Run
    
    • [OriginalFilename].exe = undefinedAppdataundefined\ASound.exe
    This automatically executes the dropped file every time the infected user logs on.


• It also spawns an instance of undefinedSystemRootundefined\system32\svchost.exe.


• It connects to the following remote sites
  
  • bahru{Removed}mkediri.sch.id/temps/fre.php
  • www.leyo{Removed}.com/45/Panel/five/fre.php
  • onc{Removed}.info
  It has also been noticed that this malware appears to send details of the infected host to the abovementioned sites, such as the current username and current local path of the executed malware.


• In some instances, this malware may delete itself after executing.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.