This is a detection for a malware that is installed as a Mozilla/Firefox component extension.
Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.
This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed via the Mozilla graphical user interface.
Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.
The original component installs the following files:
FormSpy installs these additional files:
- %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar (modified - FormSpy)
- %MozillaInstall%\components\AppInterConn.dll (FormSpy)
- %Mozilla%\AppInterConn.xpt (Mozilla component definition file)
- %Windir%\System32\138762763.exe (FormSpy)
(Where %MozillaUserProfile% is the Mozilla user profile folder e.g. C:\Documents and Settings\WindowsUser\Application Data\Mozilla\Firefox\Profiles\ f4dbo7e7.default; %MozillaInstall% is the Mozilla installation folder e.g. C:\Program Files\Mozilla Firefox; and %Windir% is the Windows folder e.g. C:\Windows)