Focus on Virus
Back to list
Trojan downloader may be dropping FireFox and IE specific components
Jul 25 2006 06:57PM
Hayes, Bill (Bill Hayes owh com)
While reading a couple of recent entries in security bogs by McAfee and Symantec, I had one of those "say it isn't so" momements. A careful read of the descriptions by McAfee of the Trojan Downloader Downloader-AXM and McAfee's description of Formspy for Firefox and Symantec's description of Haxdoor for IE seems to indicate that Downloader-AXM is able to distinguish between system configurations and install malware specifically developed for either Firefox or IE boxes.
I haven't been able to find out any further info from other virus encyclopedias. Hopefully they should have entries soon.
Formspy was detected by Mcafee today (July 25th) and Haxdoor-0 by Symantec yesterday (July 24th). Both are currently being spammed by an e-mail note purporing to be an order confirmation. McAfee does have the full text of the spam in its description of Downloader-AXM. According to McAfee, the downloader is present in an attachment called "wc2905036.exe".
Symantec says in its blog that Haxdoor is downloaded through an attachment it calls WC2905036.zip which yields WC2905036.exe, and in passing that the spammed note is a bogus order confirmation.
Symantec states that there have been two different versions of the e-mail message and two different attachments. They don't say if the file name remained the same. So, are we looking at backdoors that use two separate downloaders or one downloader for two different malware installations? This would also indicate that the same folks are behind both Formspy and Haxdoor-0. Symantec states that this version of Haxdoor may be of Russian origin.
AvertLabs blog - http://www.avertlabs.com/research/blog/?p=62
FormSpy Downloader - http://vil.nai.com/vil/content/v_140257.htm
FormSpy - http://vil.nai.com/vil/content/v_140256.htm
Backdoor.Haxdoor-0 - http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
Symantec Security Response Weblog - http://www.symantec.com/enterprise/security_response/weblog/2006/07/ther
[ reply ]
Copyright 2010, SecurityFocus