McAfee > Theat Center > Virus Detail Page

Overview

Overview -
-- Update Sept 03, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/01/firefox_spyware_add_on/

--

This detection is for a malware which purports to be an update for Adobe Flash Installation. When executed, this malware will install a malicious plugin for Mozilla Firefox browser.

The malware will then monitor the user's Google search and upload the information garnered to http://msjupdate.com/[Removed]

Aliases

• DR/Spy.FFSpy.A.2 [Avira]

• JS/Spy.FFSpy.A [Nod32]

• Trojan-Spy.JS.FFSpy [Ikarus]

• Trojan-Spy.JS.FFSpy.a [Kaspersky]

• Trojan-Spy.JS.FFSpy.a [VBA32]

• Trojan.Spy.FFSpy.A [BitDefender]

• TrojanDropper:Win32/Updobe.A [Microsoft]

• TSPY_EBOD.A [TrendMicro]

• W32/FFSpy.A [F-Secure]

Characteristics

Overview -
-- Update Sept 03, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/01/firefox_spyware_add_on/

--

When executed this malware displays the following fake message:

It then drops the following files:

• %AppData%\Adobe\Flash\chrome.manifest
• %AppData%\Adobe\Flash\content\google.js [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\content\overlay.js [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\content\overlay.js.old [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\content\overlay.xul
• %AppData%\Adobe\Flash\install.js [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\install.rdf [JS/FFSpy Trojan]

Note: %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

It then creates the following registry entry:

• Hkey_Current_User\Software\Mozilla\Firefox\Extensions{191d3f14-ff4c-4895-bdea-
  db54526cb49a}
  Data: "%AppData%\Adobe\Flash"

The malware then begins to monitor the user's Google search and uploads information to http://msjupdate.com/[Removed]

Symptoms

Apart from the presence of files and registry entries mentioned, infected user's will see a Firefox plugin similar to the one displayed in the screenshot below:

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

The distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

Overview -
-- Update Sept 03, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/01/firefox_spyware_add_on/

--

This detection is for a malware which purports to be an update for Adobe Flash Installation. When executed, this malware will install a malicious plugin for Mozilla Firefox browser.

The malware will then monitor the user's Google search and upload the information garnered to http://msjupdate.com/[Removed]

Aliases

• DR/Spy.FFSpy.A.2 [Avira]

• JS/Spy.FFSpy.A [Nod32]

• Trojan-Spy.JS.FFSpy [Ikarus]

• Trojan-Spy.JS.FFSpy.a [Kaspersky]

• Trojan-Spy.JS.FFSpy.a [VBA32]

• Trojan.Spy.FFSpy.A [BitDefender]

• TrojanDropper:Win32/Updobe.A [Microsoft]

• TSPY_EBOD.A [TrendMicro]

• W32/FFSpy.A [F-Secure]

Characteristics

Characteristics -

Overview -
-- Update Sept 03, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/09/01/firefox_spyware_add_on/

--

When executed this malware displays the following fake message:

It then drops the following files:

• %AppData%\Adobe\Flash\chrome.manifest
• %AppData%\Adobe\Flash\content\google.js [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\content\overlay.js [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\content\overlay.js.old [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\content\overlay.xul
• %AppData%\Adobe\Flash\install.js [JS/FFSpy Trojan]
• %AppData%\Adobe\Flash\install.rdf [JS/FFSpy Trojan]

Note: %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

It then creates the following registry entry:

• Hkey_Current_User\Software\Mozilla\Firefox\Extensions{191d3f14-ff4c-4895-bdea-
  db54526cb49a}
  Data: "%AppData%\Adobe\Flash"

The malware then begins to monitor the user's Google search and uploads information to http://msjupdate.com/[Removed]

Symptoms

Symptoms -

Apart from the presence of files and registry entries mentioned, infected user's will see a Firefox plugin similar to the one displayed in the screenshot below:

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

The distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A