This Trojan may be dropped or downloaded from remote sites by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

When executed, it accesses Web sites to download possibly malicious files. As a result, routines of the downloaded files may be exhibited on the affected system.

Solution:

Identifying the Malware Files

1. Scan your computer with your Trend Micro antivirus product.
2. Note the path and file name of all files detected as TROJ_FARFLI.EY.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Deleting Malware Files using Recovery Console
On Windows NT, 2000, XP, and Server 2003 systems

This procedure allows the computer to restart by using the Windows installation CD.

1. Insert your Windows Installation CD in your CD-rom.
2. Press the restart button of your computer.
3. When prompted, press any key to boot from the CD.
4. When prompted on the Main Menu, type r to enter the recovery console.
   (Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
5. When prompted, type your administrator password to log on.
6. Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
7. Type the drive that contains Windows, then press Enter.
8. Type the following, then press Enter:
   del {Malware path and file name}
9. Repeat the above procedure for all files detected earlier.
10. Type exit to restart the system.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
3. In the right panel, locate and delete the key:
   {malware filename without extension}
   (Note: This malware has 2 services both with the key {malware file name without extension}.)
4. Close Registry Editor.

Deleting the Malware File(s)

This solution deletes the file dropped by this malware. The said file has Chinese characters.

1. Open My Computer, and go to the following folder:
   %User Profile%
2. Right click the Favorites folder, and click Search...
3. In the input box named "search for a word or phrase in the file", type the following, and click Search:
   http://www.6781.com/?001
4. In the results pane, delete the file that appears with a .URL extension.
5. Close Search results.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_FARFLI.EY. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.