Computer Associates eTrust Spyware Encyclopedia now has an entry for Haxdoor.G
that states this malware seems to have the same distribution as Formspy, which
CA calls Ursnif.B. The CA entry Haxdoor.G states that its name is equivalent to
Symantec's name of Haxdoor-0.
At first glance, this seems to vindicate the notion that Downloader-AXM
(McAfee) does indeed discriminate between browser installations and installs
the appropriate malware -- either FormSpy for Firefox or Haxdoor-0 for IE. This
would be much more efficient than sending out two sets of spam with identical
wording and different attachments. It would also mean that we've turned a dark
corner and that downloaders from this point on will become more sophisticated
in determining what kind of malware to install. As Susan Bradley seemed to
infer, that could mean that Opera-related exploits could also be installed from
the same downloader that attacks IE and Firefox browsers.
However, it is possible that the folks behind Downloader-AXM did turn out two
different mass-spam mailings -- one for Haxdoor-O and one for FormSpy. McAfee
in its July 25th update of the Downloader-AXM page states that two
Downloader-AXM mailings were detected on the 24th and the 25th of July. While
the message had the identical content, McAfee claims that Downloader-AXM had
been repackaged. I think it means that the attachment was first presented as
wc2905036.exe and then on the second mailing put in a zip file called
WC2905036.zip.
Has anyone examined the attachments from these two mass-spammings? Are they
indeed functionally identical? If so, can they download Formspy and Haxdoor-O?
References:
Downloader-AXM (McAfee) - http://vil.nai.com/vil/content/v_140257.htm
(Downloader-AXM) Win32/SillydI.AT0 - (CA)
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=57188
(Downloader-AXM) 29Down (CA) -
http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098985
(Downloader-AXM) Troj/Dloadr-AKL (Sophos) -
http://www.sophos.com/virusinfo/analyses/trojdloadrakl.html
(Downloader-AXM) Downloader.Traus (Symantec) -
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072610-0431-99
(Downloader-AXM) TROJ_DLOAD.AH -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.AH
FormSpy (McAfee) - http://vil.nai.com/vil/content/v_140256.htm
(FormSpy) Ursnif.B (CA) -
http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098986
(FormSpy) SnifSteal.A (Panda) -
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=124440
(FormSpy) Troj/Firespy-A (Sophos) -
http://www.sophos.com/security/analyses/trojfirespya.html
(FormSpy) InfoStealer.Snifula (Symantec) -
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072610-2145-99
(FormSpy) TSPY_SNIFSTEAL.A (Trend) -
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_SNIFSTEAL.A
Haxdoor-0 (Symantec) -
http://www.symantec.com/security_response/writeup.jsp?docid=2006-072413-3859-99&tabid=1
(Haxdoor-0) Haxdoor.G (CA) -
http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098984
(Haxdoor-0) Haxdoor.CP (Sophos) -
http://www.sophos.com/security/analyses/trojhaxdoorcp.html
(Haxdoor-0_ BKDR_HAXDOOR.GP (Trend) -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.GP
Related References:
Win32/SillyDI Family (CA) -
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39574
