Focus on Virus
Back to list
Trojan downloader may be dropping FireFox and IE specific components
Jul 25 2006 06:57PM
Hayes, Bill (Bill Hayes owh com)
Re: [security] Trojan downloader may be dropping FireFox and IEspecific components
Jul 26 2006 10:09PM
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa pacbell net)
Say it is so.... Malware is big business.
Opera just has a "month o browser bugs' posted up on Metasploit.
As long as we're running with admin rights... malware has easy
Hayes, Bill wrote:
>While reading a couple of recent entries in security bogs by McAfee and Symantec, I had one of those "say it isn't so" momements. A careful read of the descriptions by McAfee of the Trojan Downloader Downloader-AXM and McAfee's description of Formspy for Firefox and Symantec's description of Haxdoor for IE seems to indicate that Downloader-AXM is able to distinguish between system configurations and install malware specifically developed for either Firefox or IE boxes.
>I haven't been able to find out any further info from other virus encyclopedias. Hopefully they should have entries soon.
>Formspy was detected by Mcafee today (July 25th) and Haxdoor-0 by Symantec yesterday (July 24th). Both are currently being spammed by an e-mail note purporing to be an order confirmation. McAfee does have the full text of the spam in its description of Downloader-AXM. According to McAfee, the downloader is present in an attachment called "wc2905036.exe".
>Symantec says in its blog that Haxdoor is downloaded through an attachment it calls WC2905036.zip which yields WC2905036.exe, and in passing that the spammed note is a bogus order confirmation.
>Symantec states that there have been two different versions of the e-mail message and two different attachments. They don't say if the file name remained the same. So, are we looking at backdoors that use two separate downloaders or one downloader for two different malware installations? This would also indicate that the same folks are behind both Formspy and Haxdoor-0. Symantec states that this version of Haxdoor may be of Russian origin.
>AvertLabs blog - http://www.avertlabs.com/research/blog/?p=62
>FormSpy Downloader - http://vil.nai.com/vil/content/v_140257.htm
>FormSpy - http://vil.nai.com/vil/content/v_140256.htm
>Backdoor.Haxdoor-0 - http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
>Symantec Security Response Weblog - http://www.symantec.com/enterprise/security_response/weblog/2006/07/ther
>Get your free port scan here: http://www.seifried.org/freescan2/
>security mailing list
>security (at) lists.seifried (dot) org [email concealed]
Letting your vendors set your risk analysis these days?
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
[ reply ]
Copyright 2010, SecurityFocus