Virus Profile: FormSpy

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/25/2006
Date Added: 7/25/2006
Origin: N/A
Length: 42,496 bytes
Type: Trojan
Subtype: Spyware
DAT Required: 4814
Removal Instructions
   
 
 
   

Description

--- Update July 25, 2005 ---

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be detected proactively in Internet Explorer (IE) with VirusScan ScriptScan (VSE8.0i feature) enabled; whilst FormSpy can be detected proactively using the latest DATs and engine.

This is a detection for a malware that was discovered in the wild on July 24, 2005 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM).

It is installed as a Mozilla/Firefox component extension and will forward data submitted in the web browser to a malicious website.

 

Indication of Infection

Presence of the following registry key(s):

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"stup" = "%Windir%\System32\138762763.exe"
  • HKEY_CURRENT_USER\Software\keys

Outgoing HTTP connections bound for the following IP address(es):

  • 81.95.xx.xx

Unintended installation of the following Mozilla Firefox extension component(s):

  • NumberedLinks 0.9

(Mozilla Firefox users can check the installed extensions via the Tools->Extensions pull-down menu).

 

Methods of Infection

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

 

   

Virus Characteristics

This is a detection for a malware that is installed as a Mozilla/Firefox component extension.

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.

This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed via the Mozilla graphical user interface.

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

The original component installs the following files:

  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar
  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome.manifest
  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\install.rdf

FormSpy installs these additional files:

  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar (modified - FormSpy)
  • %MozillaInstall%\components\AppInterConn.dll (FormSpy)
  • %Mozilla%\AppInterConn.xpt (Mozilla component definition file)
  • %Windir%\System32\138762763.exe (FormSpy)

(Where %MozillaUserProfile% is the Mozilla user profile folder e.g. C:\Documents and Settings\WindowsUser\Application Data\Mozilla\Firefox\Profiles\ f4dbo7e7.default; %MozillaInstall% is the Mozilla installation folder e.g. C:\Program Files\Mozilla Firefox; and %Windir% is the Windows folder e.g. C:\Windows)

 

 

   
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations