>While reading a couple of recent entries in security bogs by McAfee and Symantec, I had one of those "say it isn't so" momements. A careful read of the descriptions by McAfee of the Trojan Downloader Downloader-AXM and McAfee's description of Formspy for Firefox and Symantec's description of Haxdoor for IE seems to indicate that Downloader-AXM is able to distinguish between system configurations and install malware specifically developed for either Firefox or IE boxes.
>
>I haven't been able to find out any further info from other virus encyclopedias. Hopefully they should have entries soon.
>
>Formspy was detected by Mcafee today (July 25th) and Haxdoor-0 by Symantec yesterday (July 24th). Both are currently being spammed by an e-mail note purporing to be an order confirmation. McAfee does have the full text of the spam in its description of Downloader-AXM. According to McAfee, the downloader is present in an attachment called "wc2905036.exe".
>
>Symantec says in its blog that Haxdoor is downloaded through an attachment it calls WC2905036.zip which yields WC2905036.exe, and in passing that the spammed note is a bogus order confirmation.
>
>Symantec states that there have been two different versions of the e-mail message and two different attachments. They don't say if the file name remained the same. So, are we looking at backdoors that use two separate downloaders or one downloader for two different malware installations? This would also indicate that the same folks are behind both Formspy and Haxdoor-0. Symantec states that this version of Haxdoor may be of Russian origin.
>
>References:
>
>AvertLabs blog - http://www.avertlabs.com/research/blog/?p=62
>FormSpy Downloader - http://vil.nai.com/vil/content/v_140257.htm
>FormSpy - http://vil.nai.com/vil/content/v_140256.htm
>Backdoor.Haxdoor-0 - http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
006-072413-3859-99
>Symantec Security Response Weblog - http://www.symantec.com/enterprise/security_response/weblog/2006/07/ther
e_they_go_again_1.html
>_______________________________________________
>Get your free port scan here: http://www.seifried.org/freescan2/
>
>security mailing list
>security (at) lists.seifried (dot) org [email concealed]
>https://lists.seifried.org/mailman/listinfo/security
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
Opera just has a "month o browser bugs' posted up on Metasploit.
As long as we're running with admin rights... malware has easy
pickin's.......
http://msmvps.com/blogs/harrywaldron/archive/2006/07/26/105854.aspx
http://browserfun.blogspot.com/2006/07/mobb-26-opera-css-background.html
Hayes, Bill wrote:
>While reading a couple of recent entries in security bogs by McAfee and Symantec, I had one of those "say it isn't so" momements. A careful read of the descriptions by McAfee of the Trojan Downloader Downloader-AXM and McAfee's description of Formspy for Firefox and Symantec's description of Haxdoor for IE seems to indicate that Downloader-AXM is able to distinguish between system configurations and install malware specifically developed for either Firefox or IE boxes.
>
>I haven't been able to find out any further info from other virus encyclopedias. Hopefully they should have entries soon.
>
>Formspy was detected by Mcafee today (July 25th) and Haxdoor-0 by Symantec yesterday (July 24th). Both are currently being spammed by an e-mail note purporing to be an order confirmation. McAfee does have the full text of the spam in its description of Downloader-AXM. According to McAfee, the downloader is present in an attachment called "wc2905036.exe".
>
>Symantec says in its blog that Haxdoor is downloaded through an attachment it calls WC2905036.zip which yields WC2905036.exe, and in passing that the spammed note is a bogus order confirmation.
>
>Symantec states that there have been two different versions of the e-mail message and two different attachments. They don't say if the file name remained the same. So, are we looking at backdoors that use two separate downloaders or one downloader for two different malware installations? This would also indicate that the same folks are behind both Formspy and Haxdoor-0. Symantec states that this version of Haxdoor may be of Russian origin.
>
>References:
>
>AvertLabs blog - http://www.avertlabs.com/research/blog/?p=62
>FormSpy Downloader - http://vil.nai.com/vil/content/v_140257.htm
>FormSpy - http://vil.nai.com/vil/content/v_140256.htm
>Backdoor.Haxdoor-0 - http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
006-072413-3859-99
>Symantec Security Response Weblog - http://www.symantec.com/enterprise/security_response/weblog/2006/07/ther
e_they_go_again_1.html
>_______________________________________________
>Get your free port scan here: http://www.seifried.org/freescan2/
>
>security mailing list
>security (at) lists.seifried (dot) org [email concealed]
>https://lists.seifried.org/mailman/listinfo/security
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs
[ reply ]