Content
PWS-FFantasy
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 07/24/2006
- Length
- 76,800 (exe)
59,485 (dll) - Minimum DAT
- 4813 (07/24/2006)
- Updated DAT
- 5068 (07/05/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/24/2006
- Description Modified
- 08/09/2006 1:41 AM (PT)
Tab Navigation
Characteristics
Upon execution, the trojan copies itself to the following location.
- %SYSTEMDIR%\explorerf.exe ( 76800 bytes )
- %SYSTEMDIR%\systemlf.dll ( 59485 bytes )
Then it creates the following registry key.
- hkey_local_machine\software\microsoft\windows\currentversion\run
explorerf.exe="%SYSTEMDIR%\explorerf.exe"
It creates mutex named "ff11OneCopy5" to ensure that only one instance is run on the victim machine. The trojan monitors user access to the online game called "Final Fantasy" and captures the following information.
- Username
- Password
- Server IP Address
The captured information is stored in the following file.
- C:\gameff11.txt
Then the trojan sends the file to the following remote site.
- ff11ma.[removed].net port:80
Symptoms
Presence of the mentioned registry key and files.
Method of Infection
Trojans do not self-replicate.
They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a password stealing trojan that captures online game account information and sends it to the author via http.
Aliases
- Trojan-Spy.Win32.Agent.nq (Kaspersky)
- Trojan.Finfanse (Symantec)
- TSPY_FANTASY.C (TrendMicro)
Characteristics
Characteristics -
Upon execution, the trojan copies itself to the following location.
- %SYSTEMDIR%\explorerf.exe ( 76800 bytes )
- %SYSTEMDIR%\systemlf.dll ( 59485 bytes )
Then it creates the following registry key.
- hkey_local_machine\software\microsoft\windows\currentversion\run
explorerf.exe="%SYSTEMDIR%\explorerf.exe"
It creates mutex named "ff11OneCopy5" to ensure that only one instance is run on the victim machine. The trojan monitors user access to the online game called "Final Fantasy" and captures the following information.
- Username
- Password
- Server IP Address
The captured information is stored in the following file.
- C:\gameff11.txt
Then the trojan sends the file to the following remote site.
- ff11ma.[removed].net port:80
Symptoms
Symptoms -
Presence of the mentioned registry key and files.
Method of Infection
Method of Infection -
Trojans do not self-replicate.
They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
