Troj/FireSpy-A

Please follow the instructions for removing Trojans.

Troj/FireSpy-A is an information stealing Trojan for the Windows platform.

Troj/FireSpy-A includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/FireSpy-A copies itself to <System>\138762763.exe.

The following registry entry is created to run 138762763.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
stup
<System>\138762763.exe

Registry entries are created under:

HKCU\Software\keys\k1
HKCU\Software\keys\k2

Troj/FireSpy-A checks for an installed version of the Mozilla Firefox browser.

If a Mozilla Firefox installation is detected, Troj/FireSpy-A attempts to create the files:

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\chrome\chrome.rdf

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\chrome\overlayinfo\browser\content\
overlays.rdf

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\extensions\
(1d58a41c-b1a5-4c8f-94bf-6350f2809b06)\chrome.manifest

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\extensions\
(1d58a41c-b1a5-4c8f-94bf-6350f2809b06)\install.rdf

<Documents and Settings>\Administrator\Application Data\Mozilla\Firefox\
Profiles\<random characters>.default\extensions\
(1d58a41c-b1a5-4c8f-94bf-6350f2809b06)\numberedlinks.jar

<Mozilla Firefox installation folder>\components\AppInterConn.dll

<Mozilla Firefox installation folder>\components\AppInterConn.xpt

These files can be deleted.

Troj/FireSpy-A will then attempt to register the dropped component as a Firefox plugin and begin monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms.

This information is subsequently sent to a remote location via HTTP POST.