F0xy

Posted: February 12, 2015

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	1/10
Infected PCs:	92

First Seen:	February 12, 2015
Last Seen:	August 21, 2020
OS(es) Affected:	Windows

F0xy is a Trojan downloader that can install other threats on your PC, including malware and PUPs (Potentially Unwanted Programs). Although malware experts have found F0xy's payloads to be variable, recent F0xy attacks have installed digital currency miners. These miners could cause permanent damage to the infected PC's hardware, along with noticeable degradation of system performance. Updating your anti-malware tools regularly may be your best option for removing F0xy before it can harm the rest of your machine.

A Foxy Trojan with Hard-Working Friends

F0xy code primarily is for downloading and installing additional software onto your computer automatically, and even is capable of modifying which C&C servers are consulted to acquire its payloads. Although F0xy makes very limited use of traditional code obfuscation, F0xy does employ other techniques meant to make its detection by anti-malware products difficult, and can subvert ordinary Windows features for enabling its attacks.

One of the most recent payloads malware experts verified with F0xy is CPUMiner, a non-threatening program that uses the PC's resources for generating Bitcoins (and other cryptocurrencies). As the name would seem to indicate, the use of CPUMiner can expend significant CPU resources, and, when used carelessly, may cause permanent strain and damage to the associated hardware. In cases less extreme than total system failure, F0xy's payload may cause system slowdowns, program instability and other, general signs of degraded performance.

F0xy installs CPUMiner and other software by default, and even will do the same with some components of itself, such as its Registry entries. Malware experts also saw F0xy using the Russian social networking platform of VKontakte as a go-between for its C&C servers as well as Microsoft's Background Intelligent Transfer for handling its network activities. Together, these characteristics could explain why only a handful of anti-malware tools can identify F0xy samples.

Outsmarting the Fox Making Money Off of Your Rig

Some threat authors use intricate obfuscation techniques to hide the real purpose of their program's code from security software. Instead of that complicated strategy, F0xy chooses to conceal itself by being as transparent as possible, and by making incredibly heavy use of legitimate, third-party products to coordinate its attacks. However, none of these attributes translate into making F0xy any easier to identify by eye than most other Trojans. At best, malware experts find that you can anticipate questionable performance caused by the cryptocurrency mining utilities installed by F0xy.

Removing F0xy and related software in a timely manner could mean the difference between a stable PC and a non-functioning one. Always scan your PC with anti-malware tools after any possible contact with an infection vector that could have installed F0xy. These threat-installing points may include everything from hacked websites to spam e-mail to Skype advertisements, all of which are manageable with the appropriate security precautions.

Technical Details

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\SimpleDIYOnlineHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}SimpleDIYOnlineTooltab Uninstall Internet Explorer