Cridex Infection - Fareit trojan Credential Stolen - BHEK

1. #MalwareMustDie! [0x00000000:0x00400000]> !date
2. Fri Jan 18 01:33:11 JST 2013
3.  
4. // Stolen credential list from Cridex Infection 20130117
5. // by Fareit Trojan Stealer:
6.  
7. SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
8. UninstallString
9. DisplayName
10. Software\WinRAR
11. My Documents
12. AppData
13. Local AppData
14. Cache
15. Cookies
16. History
17. My Documents
18. Common AppData
19. My Pictures
20. Common Documents
21. Common Administrative Tools
22. Administrative Tools
23. Personal
24. Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
25. explorer.exe
26. Software\Far\Plugins\FTP\Hosts
27. Software\Far2\Plugins\FTP\Hosts
28. Software\Far Manager\Plugins\FTP\Hosts
29. Software\Far\SavedDialogHistory\FTPHost
30. Software\Far2\SavedDialogHistory\FTPHost
31. Software\Far Manager\SavedDialogHistory\FTPHost
32. Password
33. HostName
34. User
35. Line
36. wcx_ftp.ini
37. \GHISLER
38. InstallDir
39. FtpIniName
40. Software\Ghisler\Windows Commander
41. Software\Ghisler\Total Commander
42. \Ipswitch
43. Sites\
44. \Ipswitch\WS_FTP
45. \win.ini
46. .ini
47. WS_FTP
48. DIR
49. DEFDIR
50. CUTEFTP
51. QCHistory
52. Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
53. Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
54. Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
55. Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
56. Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
57. Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
58. \GlobalSCAPE\CuteFTP
59. \GlobalSCAPE\CuteFTP Pro
60. \GlobalSCAPE\CuteFTP Lite
61. \CuteFTP
62. \sm.dat
63. Software\FlashFXP\3
64. Software\FlashFXP
65. Software\FlashFXP\4
66. InstallerDathPath
67. path
68. Install Path
69. DataFolder
70. \Sites.dat
71. \Quick.dat
72. \History.dat
73. \FlashFXP\3
74. \FlashFXP\4
75. \FileZilla
76. \sitemanager.xml
77. \recentservers.xml
78. \filezilla.xml
79. Software\FileZilla
80. Software\FileZilla Client
81. Install_Dir
82. Host
83. User
84. Pass
85. Port
86. Remote Dir
87. Server Type
88. Server.Host
89. Server.User
90. Server.Pass
91. Server.Port
92. Path
93. ServerType
94. Last Server Host
95. Last Server User
96. Last Server Pass
97. Last Server Port
98. Last Server Path
99. Last Server Type
100. FTP Navigator
101. FTP Commander
102. ftplist.txt
103. \BulletProof Software
104. .dat
105. .bps
106. Software\BPFTP\Bullet Proof FTP\Main
107. Software\BulletProof Software\BulletProof FTP Client\Main
108. Software\BPFTP\Bullet Proof FTP\Options
109. Software\BulletProof Software\BulletProof FTP Client\Options
110. Software\BPFTP
111. LastSessionFile
112. SitesDir
113. InstallDir1
114. .xml
115. \SmartFTP
116. Favorites.dat
117. History.dat
118. addrbk.dat
119. quick.dat
120. \TurboFTP
121. Software\TurboFTP
122. installpath
123. Software\Sota\FFFTP
124. CredentialSalt
125. CredentialCheck
126. Software\Sota\FFFTP\Options
127. Password
128. UserName
129. HostAdrs
130. RemoteDir
131. Port
132. HostName
133. Port
134. Username
135. Password
136. HostDirName
137. Software\CoffeeCup Software\Internet\Profiles
138. Software\FTPWare\COREFTP\Sites
139. Host
140. User
141. Port
142. PthR
143. SSH
144. profiles.xml
145. \FTP Explorer
146. Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
147. Buttons
148. Software\FTP Explorer\Profiles
149. Password
150. PasswordType
151. Host
152. Login
153. Port
154. InitialPath
155. FtpSite.xml
156. \Frigate3
157. .ini
158. \VanDyke\Config\Sessions
159. \Sessions
160. Software\VanDyke\SecureFX
161. Config Path
162. UltraFXP
163. \sites.xml
164. \FTPRush
165. RushSite.xml
166. Server
167. Username
168. Password
169. FtpPort
170. Software\Cryer\WebSitePublisher
171. \BitKinex
172. bitkinex.ds
173. Hostname
174. Username
175. Password
176. Port
177. Software\ExpanDrive\Sessions
178. \ExpanDrive
179. \drives.js
180. "password" : "
181. Software\ExpanDrive
182. ExpanDrive_Home
183. Server
184. UserName
185. Password
186. _Password
187. Directory
188. Software\NCH Software\ClassicFTP\FTPAccounts
189. FtpServer
190. FtpUserName
191. FtpPassword
192. _FtpPassword
193. FtpDirectory
194. SOFTWARE\NCH Software\Fling\Accounts
195. Software\FTPClient\Sites
196. Software\SoftX.org\FTPClient\Sites
197. .oxc
198. .oll
199. ftplast.osd
200. \GPSoftware\Directory Opus
201. \SharedSettings.ccs
202. \SharedSettings_1_0_5.ccs
203. \SharedSettings.sqlite
204. \SharedSettings_1_0_5.sqlite
205. \CoffeeCup Software
206. leapftp
207. unleap.exe
208. sites.dat
209. sites.ini
210. \LeapWare\LeapFTP
211. SOFTWARE\LeapWare
212. InstallPath
213. DataDir
214. Password
215. HostName
216. UserName
217. RemoteDirectory
218. PortNumber
219. FSProtocol
220. Software\Martin Prikryl
221. \32BitFtp.ini
222. NDSites.ini
223. \NetDrive
224. PassWord
225. Url
226. UserName
227. RootDirectory
228. Port
229. Software\South River Technologies\WebDrive\Connections
230. ServerType
231. FTP CONTROL
232. FTPCON
233. .prf
234. \Profiles
235. ftp://
236. opera
237. wand.dat
238. _Software\Opera Software
239. Last Directory3
240. Last Install Path
241. Opera.HTML\shell\open\command
242. wiseftpsrvs.bin
243. \AceBIT
244. Software\AceBIT
245. MRU
246. SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
247. SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
248. wiseftpsrvs.ini
249. wiseftp.ini
250. FTPVoyager.ftp
251. FTPVoyager.qc
252. \RhinoSoft.com
253. nss3.dll
254. NSS_Init
255. NSS_Shutdown
256. NSSBase64_DecodeBuffer
257. SECITEM_FreeItem
258. PK11_GetInternalKeySlot
259. PK11_Authenticate
260. PK11SDR_Decrypt
261. PK11_FreeSlot
262. sqlite3.dll
263. sqlite3_open
264. sqlite3_close
265. sqlite3_prepare
266. sqlite3_step
267. sqlite3_column_bytes
268. sqlite3_column_blob
269. mozsqlite3.dll
270. sqlite3_open
271. sqlite3_close
272. sqlite3_prepare
273. sqlite3_step
274. sqlite3_column_bytes
275. sqlite3_column_blob
276. profiles.ini
277. Profile
278. IsRelative
279. Path
280. PathToExe
281. prefs.js
282. signons.sqlite
283. signons.txt
284. signons2.txt
285. signons3.txt
286. SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
287. Firefox
288. \Mozilla\Firefox\
289. Software\Mozilla
290. ftp://
291. ftp.
292. fireFTPsites.dat
293. SeaMonkey
294. \Mozilla\SeaMonkey\
295. Flock
296. \Flock\Browser\
297. Mozilla
298. \Mozilla\Profiles\
299. Software\LeechFTP
300. AppDir
301. LocalDir
302. bookmark.dat
303. SiteInfo.QFP
304. Odin
305. Favorites.dat
306. WinFTP
307. sites.db
308. CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
309. servers.xml
310. \FTPGetter
311. ESTdb2.dat
312. QData.dat
313. \Estsoft\ALFTP
314. Internet Explorer
315. WininetCacheCredentials
316. MS IE FTP Passwords
317. DPAPI:
318. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
319. Microsoft_WinInet_*
320. ftp://
321. Software\Adobe\Common
322. SiteServers
323. SiteServer %d\Host
324. SiteServer %d\WebUrl
325. SiteServer %d\Remote Directory
326. SiteServer %d-User
327. SiteServer %d-User PW
328. %s\Keychain
329. SiteServer %d\SFTP
330. DeluxeFTP
331. sites.xml
332. Web Data
333. Login Data
334. SQLite format 3
335. table
336. CONSTRAINT
337. PRIMARY
338. UNIQUE
339. CHECK
340. FOREIGN
341. logins
342. origin_url
343. password_value
344. username_value
345. ftp://
346. \Google\Chrome
347. \Chromium
348. \ChromePlus
349. Software\ChromePlus
350. Install_Dir
351. \Bromium
352. \Nichrome
353. \Comodo
354. \RockMelt
355. K-Meleon
356. \K-Meleon
357. \Profiles
358. Epic
359. \Epic\Epic
360. Staff-FTP
361. sites.ini
362. \Sites
363. \Visicom Media
364. .ftp
365. \Global Downloader
366. SM.arch
367. FreshFTP
368. .SMF
369. BlazeFtp
370. site.dat
371. LastPassword
372. LastAddress
373. LastUser
374. LastPort
375. Software\FlashPeak\BlazeFtp\Settings
376. \BlazeFtp
377. .fpl
378. FTP++.Link\shell\open\command
379. GoFTP
380. Connections.txt
381. 3D-FTP
382. sites.ini
383. \3D-FTP
384. \SiteDesigner
385. SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
386. EasyFTP
387. \NetSarang
388. .xfp
389. .rdp
390. TERMSRV/*
391. password 51:b:
392. username:s:
393. full address:s:
394. TERMSRV/
395. FTP Now
396. FTPNow
397. sites.xml
398. SOFTWARE\Robo-FTP 3.7\Scripts
399. SOFTWARE\Robo-FTP 3.7\FTPServers
400. FTP Count
401. FTP File%d
402. Password
403. ServerName
404. UserID
405. InitialDirectory
406. PortNumber
407. ServerType
408. fMY
409. Software\LinasFTP\Site Manager
410. Host
411. User
412. Pass
413. Port
414. Remote Dir
415. \Cyberduck
416. .duck
417. user.config
418. <setting name="
419. value="
420. Software\SimonTatham\PuTTY\Sessions
421. HostName
422. UserName
423. Password
424. PortNumber
425. TerminalType
426. NppFTP.xml
427. \Notepad++
428. Software\CoffeeCup Software
429. FTP destination server
430. FTP destination user
431. FTP destination password
432. FTP destination port
433. FTP destination catalog
434. FTP profiles
435. FTPShell
436. ftpshell.fsi
437. Software\MAS-Soft\FTPInfo\Setup
438. DataDir
439. \FTPInfo
440. ServerList.xml
441. NexusFile
442. ftpsite.ini
443. FastStone Browser
444. FTPList.db
445. \MapleStudio\ChromePlus
446. Software\Nico Mak Computing\WinZip\FTP
447. Software\Nico Mak Computing\WinZip\mru\jobs
448. Site
449. UserID
450. xflags
451. Port
452. Folder
453. .wjf
454. winex="
455. \Yandex
456. My FTP
457. project.ini
458. .xml
459. {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
460. NovaFTP.db
461. \INSoftware\NovaFTP
462. .oeaccount
463. Salt
464. <POP3_Password2
465. <SMTP_Password2
466. <IMAP_Password2
467. <HTTPMail_Password2
468. \Microsoft\Windows Live Mail
469. Software\Microsoft\Windows Live Mail
470. \Microsoft\Windows Mail
471. Software\Microsoft\Windows Mail
472. Software\RimArts\B2\Settings
473. DataDir
474. DataDirBak
475. Mailbox.ini
476. Software\Poco Systems Inc
477. Path
478. \PocoSystem.ini
479. Program
480. DataPath
481. accounts.ini
482. \Pocomail
483. Software\IncrediMail
484. EmailAddress
485. Technology
486. PopServer
487. PopPort
488. PopAccount
489. PopPassword
490. SmtpServer
491. SmtpPort
492. SmtpAccount
493. SmtpPassword
494. account.cfg
495. account.cfn
496. \BatMail
497. \The Bat!
498. Software\RIT\The Bat!
499. Software\RIT\The Bat!\Users depot
500. Working Directory
501. ProgramDir
502. Count
503. Default
504. Dir #%d
505. SMTP Email Address
506. SMTP Server
507. POP3 Server
508. POP3 User Name
509. SMTP User Name
510. NNTP Email Address
511. NNTP User Name
512. NNTP Server
513. IMAP Server
514. IMAP User Name
515. Email
516. HTTP User
517. HTTP Server URL
518. POP3 User
519. IMAP User
520. HTTPMail User Name
521. HTTPMail Server
522. SMTP User
523. POP3 Port
524. SMTP Port
525. IMAP Port
526. POP3 Password2
527. IMAP Password2
528. NNTP Password2
529. HTTPMail Password2
530. SMTP Password2
531. POP3 Password
532. IMAP Password
533. NNTP Password
534. HTTP Password
535. SMTP Password
536. Software\Microsoft\Internet Account Manager\Accounts
537. Identities
538. Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
539. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
540. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
541. Software\Microsoft\Internet Account Manager
542. Outlook
543. \Accounts
544. identification
545. identitymgr
546. inetcomm server passwords
547. outlook account manager passwords
548. identities
549. {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
550. Thunderbird
551. \Thunderbird
552. FastTrack
553. ftplist.txt
554. ---
555. #malwareMustDie!!!