Virus Profile: FormSpy

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/25/2006
Date Added: 7/25/2006
Origin: N/A
Length: 42,496 bytes
Type: Trojan
Subtype: Spyware
DAT Required: 4814
Removal Instructions
   
 
 
   

Description

--- Update July 25, 2005 ---

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers. VBS/Psyme can be detected proactively in Internet Explorer (IE) with VirusScan ScriptScan (VSE8.0i feature) enabled; whilst FormSpy can be detected proactively using the latest DATs and engine.

This is a detection for a malware that was discovered in the wild on July 24, 2005 (PST). Its installer was proactively detected as New Malware.ag (now Downloader-AXM).

It is installed as a Mozilla/Firefox component extension and will forward data submitted in the web browser to a malicious website.

 

Indication of Infection

Presence of the following registry key(s):

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"stup" = "%Windir%\System32\138762763.exe"
  • HKEY_CURRENT_USER\Software\keys

Outgoing HTTP connections bound for the following IP address(es):

  • 81.95.xx.xx

Unintended installation of the following Mozilla Firefox extension component(s):

  • NumberedLinks 0.9

(Mozilla Firefox users can check the installed extensions via the Tools->Extensions pull-down menu).

 

Methods of Infection

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

 

   

Virus Characteristics

This is a detection for a malware that is installed as a Mozilla/Firefox component extension.

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.

This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed via the Mozilla graphical user interface.

Discovered from the wild, this malware was downloaded and installed by the Downloader-AXM trojan.

The original component installs the following files:

  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar
  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome.manifest
  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\install.rdf

FormSpy installs these additional files:

  • %MozillaUserProfile%\(ARBITRARY_CLASS_ID)\chrome\numberedlinks.jar (modified - FormSpy)
  • %MozillaInstall%\components\AppInterConn.dll (FormSpy)
  • %Mozilla%\AppInterConn.xpt (Mozilla component definition file)
  • %Windir%\System32\138762763.exe (FormSpy)

(Where %MozillaUserProfile% is the Mozilla user profile folder e.g. C:\Documents and Settings\WindowsUser\Application Data\Mozilla\Firefox\Profiles\ f4dbo7e7.default; %MozillaInstall% is the Mozilla installation folder e.g. C:\Program Files\Mozilla Firefox; and %Windir% is the Windows folder e.g. C:\Windows)

 

 

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95