Virus Profile: Downloader-AXM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 7/25/2006
Date Added: 7/25/2006
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Downloader
DAT Required: 4814
Removal Instructions
   
 
 
   

Description

This initial spamming of this trojan was proactively detected from the wild as New Malware.ag with email scanning products.

Downloader serves as a downloading/updating component for other malicious files.  Generally it makes Internet connectons without user's knowledge and downloads malicious contents.

Indication of Infection

HTTP connections made from the Windows Explorer process to the following IP address(es):

  •  81.95.xx.xx

Methods of Infection

Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Aliases

Trj/Spyforms.H (Panda), Trojan-PSW.Win32.Small.bs (Kaspersky), TSPY_SMALL.EEW (Trend), W32/Gozi.A (Normal), Win32/Ursnif.AG (CA)
   

Virus Characteristics

-- Update September 24, 2006 --

A new series of spam containing hyperlinks and file attachments that installs Downloader-AXM was discovered recently. These Downloader-AXM variants can be proactively detected as New Win32.g2. These spam may appear as one of the following e-mail(s):

From: (random)<RANDOM>
To: (recipient)<RECEPIENT>
Subject: Kylie Minogue killed by a cancer.

Kylie Minogue is dead.
We will never forget you.
Your last words will  be always in our hearts!
lastwords.zip (hyperlinked to http://81.95.(hidden)/(hidden)/kylie.htm)

File Attachment: lastwords.zip


From: "VISA TechSupport" <TECHSUPPORT@VISA.COM.AU>
To: (recipient)<RECEIPIENT>
Subject: TT_2846583-[YOUR DETAILS HAVE BEEN CHANGED!]


Dear Customer,

This message has been sent to you by Visa Security Program.

You've specified this e-mail as reachable with your credit card online transaction (your credit card details are not shown here for security reasons).
We notify you that your level of authorization has been altered during your last transaction of AUD 107.40 together with the service fee of AUD 24.00. (21 SEPT 2006)
You can check details in the attachment.

If you believe there was a mistake please report this to Verified by Visa.
Protect your Visa card online with a personal password
Visa provides reassurance that only you can use your Visa card online. Learn more about the benefits of Verified by Visa
http://www.visaeurope.com/personal/onlineshopping/verifiedbyvisa/signup.jsp

techsupport@visa.com.au

Regards
VISA TechSupport

File Attachment: TT_2846583.zip

-- Update July 25, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techweb.com/wire/security/191101268;jsessionid=ZSIPNB4RIMFWUQSNDLOSKH0CJUNN2JVN

Though we consider this a low threat, An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page: <https://www.webimmune.net/extra/getextra.aspx>

Additionally, a repackaged version of this trojan was mass-spammed on July 25, 2006.  Message content is the same as the initial spamming.  Detection for this version is included in the 4815 DAT files (release date July 26, 2006).
--

This trojan was mass-spammed on July 24, 2006 in a message as follows:

From: billing support [mailto:info@walmart.com]
Subject: Your order information WC2905036

Dear Sir/Madam,
 
Thank you for shopping with our internet shop. Your order, WC2905036,
has been received. Summary of your order you can see in the attachment
file.
 
This email is to confirm the receipt of your order. Please do not reply
as this email was sent from our automated confirmation system.
 
Please Note: There is no need to re-send your request or call our
customer service department for status or tracking number, this will
only delay our response time to you. Rest assured, we are making every
effort to process and ship your order within 1 to 2 business days. We
appreciate your understanding and patience and do value your business.
 
Once your order has been processed and shipped a FEDEX Tracking number
will be automatically emailed to the address provided.
 
Please Note: Tracking information will be available in FedEx's system
only after 10pm EST Monday thru Friday. If you receive a tracking number
on Sunday, you will be able to track it Monday evening after 10pm EST.
 
All orders placed including 1-2 or 2-3 business day options are shipped
within 48 hours providing the merchandise is in stock.
All FedEx Ground orders will take 7-10 business days to arrive.
 
Some packages may require a signature upon delivery. These packages will
not be left without a signature. For your convenience, we will email you
a FedEx tracking number on all successfully processed and shipped
orders.
 
All Plasma TVs, DVD players, Scanners, Fax Machines, Receivers, Home
Theater, and Printers are not returnable after box is opened.
 
To insure the best handling of your order please allow 24-48 business
hours for the processing and the shipping of your order. Thank you for
your cooperation. 
 
We hope you enjoy your order!  Thank you for shopping with us!

Attachment: wc2905036.exe

When executed, the trojan creates and executes a thread in the Windows Explorer (explorer.exe) process, and terminates. The trojan executes in the memory space of Windows Explorer from there on.

Connections are made to to a web server hosted at IP address 81.95.xx.xx to download other malware. At the time of writing, FormSpy was downloaded and installed into the victim's machine.

   
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations