Aliases: W32/Foxma.worm, Win32.HLLW.Foxma, W32/HLLW.Foxmango, Win32.Foxmagno, W32/Foxmagno

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Moderate
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 04 Feb 2002
Damage: Medium

Characteristics: W32.Foxma is a Trojan horse that replicates itself to the \Windows\System folder. It arrives as Windows.exe. This Trojan horse is also known as W32/Foxma.worm, Win32.HLLW.Foxma, W32/HLLW.Foxmango, Win32.Foxmagno, W32/Foxmagno, WORM_FOXMA.A, PE_HLLW.FOXM.A. It was first discovered on February 4, 2002.

More details about W32.Foxma

W32.Foxma is a self-replicating Trojan. It copies itself to a particular folder using Windows.exe as its file name. Then, the Trojan modifies the system registry to actively run itself at startup. Written in Visual Basic 6.0, this Trojan adds the following value: RunSys C:\Windows\System\Windows.exe. This value is added to the system registry key. Thus, propagation of W32.Foxma is successfully executed.

The W32.Foxma application creates an unauthorized network connection between remote systems and the user’s computer. The W32.Foxma application is often used by other malware program to enter the system unnoticed. These malware applications utilize the backdoor functions of the program to communicate with remote servers on the World Wide Web. The security gaps created by the program enable security threats to acquire additional files from these online sources. These malware applications include Remote Access Tools (RATs), keyloggers, Trojan downloaders and worms.