While reading a couple of recent entries in security bogs by McAfee and
Symantec, I had one of those "say it isn't so" momements. A careful read of the
descriptions by McAfee of the Trojan Downloader Downloader-AXM and McAfee's
description of Formspy for Firefox and Symantec's description of Haxdoor for IE
seems to indicate that Downloader-AXM is able to distinguish between system
configurations and install malware specifically developed for either Firefox or
IE boxes.
I haven't been able to find out any further info from other virus
encyclopedias. Hopefully they should have entries soon.
Formspy was detected by Mcafee today (July 25th) and Haxdoor-0 by Symantec
yesterday (July 24th). Both are currently being spammed by an e-mail note
purporing to be an order confirmation. McAfee does have the full text of the
spam in its description of Downloader-AXM. According to McAfee, the downloader
is present in an attachment called "wc2905036.exe".
Symantec says in its blog that Haxdoor is downloaded through an attachment it
calls WC2905036.zip which yields WC2905036.exe, and in passing that the spammed
note is a bogus order confirmation.
Symantec states that there have been two different versions of the e-mail
message and two different attachments. They don't say if the file name remained
the same. So, are we looking at backdoors that use two separate downloaders or
one downloader for two different malware installations? This would also
indicate that the same folks are behind both Formspy and Haxdoor-0. Symantec
states that this version of Haxdoor may be of Russian origin.
References:
AvertLabs blog - http://www.avertlabs.com/research/blog/?p=62
FormSpy Downloader - http://vil.nai.com/vil/content/v_140257.htm
FormSpy - http://vil.nai.com/vil/content/v_140256.htm
Backdoor.Haxdoor-0 -
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072413-3859-99
Symantec Security Response Weblog -
http://www.symantec.com/enterprise/security_response/weblog/2006/07/there_they_go_again_1.html
