Focus on Virus
Back to list
Re: Trojan downloader may be dropping FireFox and IE specific components
Jul 28 2006 06:44PM
Hayes, Bill (Bill Hayes owh com)
Computer Associates eTrust Spyware Encyclopedia now has an entry for Haxdoor.G that states this malware seems to have the same distribution as Formspy, which CA calls Ursnif.B. The CA entry Haxdoor.G states that its name is equivalent to Symantec's name of Haxdoor-0.
At first glance, this seems to vindicate the notion that Downloader-AXM (McAfee) does indeed discriminate between browser installations and installs the appropriate malware -- either FormSpy for Firefox or Haxdoor-0 for IE. This would be much more efficient than sending out two sets of spam with identical wording and different attachments. It would also mean that we've turned a dark corner and that downloaders from this point on will become more sophisticated in determining what kind of malware to install. As Susan Bradley seemed to infer, that could mean that Opera-related exploits could also be installed from the same downloader that attacks IE and Firefox browsers.
However, it is possible that the folks behind Downloader-AXM did turn out two different mass-spam mailings -- one for Haxdoor-O and one for FormSpy. McAfee in its July 25th update of the Downloader-AXM page states that two Downloader-AXM mailings were detected on the 24th and the 25th of July. While the message had the identical content, McAfee claims that Downloader-AXM had been repackaged. I think it means that the attachment was first presented as wc2905036.exe and then on the second mailing put in a zip file called WC2905036.zip.
Has anyone examined the attachments from these two mass-spammings? Are they indeed functionally identical? If so, can they download Formspy and Haxdoor-O?
Downloader-AXM (McAfee) - http://vil.nai.com/vil/content/v_140257.htm
(Downloader-AXM) Win32/SillydI.AT0 - (CA) http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=57188
(Downloader-AXM) 29Down (CA) - http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098985
(Downloader-AXM) Troj/Dloadr-AKL (Sophos) - http://www.sophos.com/virusinfo/analyses/trojdloadrakl.html
(Downloader-AXM) Downloader.Traus (Symantec) - http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
(Downloader-AXM) TROJ_DLOAD.AH - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLO
FormSpy (McAfee) - http://vil.nai.com/vil/content/v_140256.htm
(FormSpy) Ursnif.B (CA) - http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098986
(FormSpy) SnifSteal.A (Panda) - http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=v
(FormSpy) Troj/Firespy-A (Sophos) - http://www.sophos.com/security/analyses/trojfirespya.html
(FormSpy) InfoStealer.Snifula (Symantec) - http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
(FormSpy) TSPY_SNIFSTEAL.A (Trend) - http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TS
Haxdoor-0 (Symantec) - http://www.symantec.com/security_response/writeup.jsp?docid=2006-072413-
(Haxdoor-0) Haxdoor.G (CA) - http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098984
(Haxdoor-0) Haxdoor.CP (Sophos) - http://www.sophos.com/security/analyses/trojhaxdoorcp.html
(Haxdoor-0_ BKDR_HAXDOOR.GP (Trend) - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAX
Win32/SillyDI Family (CA) - http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39574
[ reply ]
Copyright 2010, SecurityFocus