Content

Fribet

Type
Trojan
SubType
Remote Access
Discovery Date
04/09/2008
Length
38,912 (bytes)
Minimum DAT
5271 (04/10/2008)
Updated DAT
5271 (04/10/2008)
Minimum Engine
5.1.00
Description Added
04/09/2008
Description Modified
04/10/2008 3:30 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computeractive.co.uk/computeractive/news/2213908/pro-tibet-websites-infected
--

Upon execution, the trojan drops the following files:

  • %Systemdir%\ipsec.exe
  • %Systemdir%\ipsec.dll

The following registry keys are modified:

  • HKEY_CLASSES_ROOT\FKing
    • "classid" = EB59090026001513010A04D807
    • "memo" = free tibet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ipsec
    • "Asynchronous" = 1
    • "DllName" = %Systemdir%\ipsec.dll
    • "Impersonate" = 0
    • "Startup" = FkStartup
    • "Shutdown" = FkShutdown

Once executed, the trojan creates the mutex to ensure only one instance is running.

  • MrxyMutex2

The dll file "ipsec.dll" is injected into the process of "winlogon.exe" and works as a backdoor. The trojan connects the following site and waits commands.

  • freetibet.[removed].com port: 8082

The backdoor has the following functions:

  • create files/directories
  • list files/drive information
  • download/upload files
  • run/terminate processes
  • list processes
  • operate SQL servers installed on the victim machines

Symptoms

Method of Infection

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The trojan is a remote access trojan and is observed to be downloaded via malicious web pages from remote sites.
The wep pages were proactively detected as Exploit-MS07-004 since the 5161 Dat (Release Date: Nov 11th, 2007)with the McAfee command-line scanner and gateway product.

Characteristics

Characteristics -

-- Update April 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computeractive.co.uk/computeractive/news/2213908/pro-tibet-websites-infected
--

Upon execution, the trojan drops the following files:

  • %Systemdir%\ipsec.exe
  • %Systemdir%\ipsec.dll

The following registry keys are modified:

  • HKEY_CLASSES_ROOT\FKing
    • "classid" = EB59090026001513010A04D807
    • "memo" = free tibet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ipsec
    • "Asynchronous" = 1
    • "DllName" = %Systemdir%\ipsec.dll
    • "Impersonate" = 0
    • "Startup" = FkStartup
    • "Shutdown" = FkShutdown

Once executed, the trojan creates the mutex to ensure only one instance is running.

  • MrxyMutex2

The dll file "ipsec.dll" is injected into the process of "winlogon.exe" and works as a backdoor. The trojan connects the following site and waits commands.

  • freetibet.[removed].com port: 8082

The backdoor has the following functions:

  • create files/directories
  • list files/drive information
  • download/upload files
  • run/terminate processes
  • list processes
  • operate SQL servers installed on the victim machines

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A