What is Win32:Farfli-AF?

Hi,

Avast found a few of these and put them in the chest, but it missed one in my Startup folder, so unfortunately the malware got to run after reboot. I noticed unusual CPU usage and kill the exe. Is there information on what this malware does? I need to know in order to plan for damage control.

Thanks

Jim

info

http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=farfli

if you need removal help, follow the guide and attach the requested logs.
http://forum.avast.com/index.php?topic=53253.0

We need logs from
AdwCleaner
Malwarebytes
OTL
aswMBR

you could send the malware files that were undetected by avast to virus@avast.com for analysis or send them by www.avast.com/contact-form.php

Well this is “an oldie”,so to say. This backdoor trojan in various variants was first seen back in Jan 05 2010 with it’s activity peaking this month last year.
It is a high level threat that should be removed. A backdoor trojan comes including a backdoor allowing unauthorized access to the target’s computer. These backdoors tend to be invisible to average users…

polonus

Ok, thanks, the link http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=farfli doesn’t list the AF variant, I wonder if there’s a virus database where I can find an exact description? For example, does it has a key logger?

Scan the file in question at Virustotal and you can have a distinguished clue,

polonus

very difficult…unless you upload your sample and have it analysed
there is no naming standard so another vendor have another name for it, so you will not find exact info just from the name
infact, if we search virustotal for a avast detection on that name we find this

https://www.virustotal.com/nb/file/f02f5f3e874f13805de72d75fefcc9d5ee5b3b6f4b3a37d2d6528a0e3a668961/analysis/

and looking at the microsoft name. Trojan:Win32/Sisron. then we search microsoft we get this
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisron

so you see searching just from the name will not give you exact ifo on your sample, only analyze will

anyway why bother!
and if you suspect something is still in there, follow the guide i gave you, attach the logs and a removal expert will look inside for infections

Ok, thanks for the explanation. Actually I already decided to reinstall the OS, so I’m not that worried that it’s still there, but I am worried it got hold of my passwords, in which case I’ll need to change them all which is time consuming. Will Avast be able to analyze the file if I upload it?

Will Avast be able to analyze the file if I upload it?
yes, but they usually dont reply....and not with that kind of info i guess when 100 000 samples goes true the lab every day they are more then busy

you can upload it to Threatexpert for a auto anlyze. http://www.threatexpert.com/submit.aspx
then you recive a link to the result in mail
the result is very tech…so unless you understand this stuff… ::slight_smile:

Ok, thanks, I’ll give Threatexpert a try.

you should also upload the files to www.virustotal.com and post links to results here or send it to avast via : www.avast.com/contact-form.php as mentioned earlier ::slight_smile:

Ok, I got the result from ThreatExpert, it’s interesting but didn’t provide much details on what the exe did to my harddrive or whether it logs key strokes. I’ll upload it to www.virustotal.com later this week, I already reinstalled OS and the exe is in old system’s Avast chest, I assume there’s no way to get it out from the chest without running Avast on the old system.