McAfee > Theat Center > Virus Detail Page

Overview

--- Update July 25, 2005 ---

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be detected proactively in Internet Explorer (IE) with VirusScan ScriptScan (VSE8.0i feature) enabled; whilst FormSpy can be detected proactively using the latest DATs and engine.

This is a detection for a malware that was discovered in the wild on July 24, 2005 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM).

It is installed as a Mozilla/Firefox component extension and will forward data submitted in the web browser to a malicious website.

Characteristics

This is a detection for a malware that is installed as a Mozilla/Firefox component extension.

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.

This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed via the Mozilla graphical user interface.

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

The original component installs the following files:

• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar
• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome.manifest
• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\install.rdf

FormSpy installs these additional files:

• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar (modified - FormSpy)
• %MozillaInstall%\components\AppInterConn.dll (FormSpy)
• %Mozilla%\AppInterConn.xpt (Mozilla component definition file)
• %Windir%\System32\138762763.exe (FormSpy)

(Where %MozillaUserProfile% is the Mozilla user profile folder e.g. C:\Documents and Settings\WindowsUser\Application Data\Mozilla\Firefox\Profiles\ f4dbo7e7.default; %MozillaInstall% is the Mozilla installation folder e.g. C:\Program Files\Mozilla Firefox; and %Windir% is the Windows folder e.g. C:\Windows)

Symptoms

Presence of the following registry key(s):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"stup" = "%Windir%\System32\138762763.exe"
• HKEY_CURRENT_USER\Software\keys

Outgoing HTTP connections bound for the following IP address(es):

• 81.95.xx.xx

Unintended installation of the following Mozilla Firefox extension component(s):

• NumberedLinks 0.9

(Mozilla Firefox users can check the installed extensions via the Tools->Extensions pull-down menu).

Method of Infection

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

--- Update July 25, 2005 ---

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be detected proactively in Internet Explorer (IE) with VirusScan ScriptScan (VSE8.0i feature) enabled; whilst FormSpy can be detected proactively using the latest DATs and engine.

This is a detection for a malware that was discovered in the wild on July 24, 2005 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM).

It is installed as a Mozilla/Firefox component extension and will forward data submitted in the web browser to a malicious website.

Characteristics

Characteristics -

This is a detection for a malware that is installed as a Mozilla/Firefox component extension.

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.

This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed via the Mozilla graphical user interface.

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

The original component installs the following files:

• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar
• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome.manifest
• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\install.rdf

FormSpy installs these additional files:

• %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar (modified - FormSpy)
• %MozillaInstall%\components\AppInterConn.dll (FormSpy)
• %Mozilla%\AppInterConn.xpt (Mozilla component definition file)
• %Windir%\System32\138762763.exe (FormSpy)

(Where %MozillaUserProfile% is the Mozilla user profile folder e.g. C:\Documents and Settings\WindowsUser\Application Data\Mozilla\Firefox\Profiles\ f4dbo7e7.default; %MozillaInstall% is the Mozilla installation folder e.g. C:\Program Files\Mozilla Firefox; and %Windir% is the Windows folder e.g. C:\Windows)

Symptoms

Symptoms -

Presence of the following registry key(s):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"stup" = "%Windir%\System32\138762763.exe"
• HKEY_CURRENT_USER\Software\keys

Outgoing HTTP connections bound for the following IP address(es):

• 81.95.xx.xx

Unintended installation of the following Mozilla Firefox extension component(s):

• NumberedLinks 0.9

(Mozilla Firefox users can check the installed extensions via the Tools->Extensions pull-down menu).

Method of Infection

Method of Infection -

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A