FormBook

Posted by Max Lehmann on January 15, 2018

What is FormBook?

FormBook is a Trojan infection that might slither onto your computer and cause privacy-related issues since it is an infostealer Trojan, as research conducted by specialists working at anti-spyware-101.com has clearly shown. A bunch of different distribution mechanisms might be used to spread this information stealing malware. For example, it might be spread via PDFs with download links, .DOC and .XLS files with malicious macros, and archive files containing malicious executables. FormBook has already affected Aerospace, Defense Contractor, and Manufacturing sectors in the U.S and South Korea, but there is no doubt that these are not its only victims. Unfortunately, it takes time for victims to find out that this Trojan has affected their computers because it slithers onto them unnoticed and performs all activities in the background so that it would not be spotted and removed. If you suspect that this malicious application is active on your computer too and it turns out to be true, erase it from the system as soon as possible no matter how hard it is because this threat will not stop stealing information from your computer anytime soon. Unfortunately, we cannot promise that you could erase it from your system easily because it is extremely sophisticated malware.

What does FormBook do?

FormBook has been advertised on the dark web since the beginning of 2016. It can be rented and/or purchased by anyone willing to pay money for it. Cyber criminals are asked to pay 29 USD if they are planning to use it only for a month; however, they need to transfer 299 USD to get it for a lifetime. FormBook is usually purchased/rented with the intention of stealing information from victims and then selling it expensively on the black market. Also, it might be used to steal specific details from specific users. Research has clearly shown that this infection can take screenshots, launch commands, clear browser cache and cookies, reboot/shut down the compromised machine, steal passwords, and download/execute files. Even though it works as an infostealer, it is not a full-fledged banking malware, specialists say.

Researchers working at anti-spyware-101.com say that this Trojan is one of the most harmful threats they have analyzed recently. It is extremely sophisticated as well, according to them. It has been observed that it can use any extension, e.g. .exe, .com, .pif, .cmd, etc. to hide itself on victims’ computers. Also, even though it has been designed to hide in %ProgramFiles%, %CommonProgramFiles%, %USERPROFILE%, %APPDATA%, or %TEMP% directories, it might work from a different directory, specialists say, which is why it is so hard to erase it from the affected system manually. It is not very easy to get rid of this Trojan in a manual way also because it makes modifications in the system registry. Finally, it might inject itself into a random Windows component, e.g. autoconv.exe, services.exe, and control.exe. No matter how sophisticated this infection is, it must be erased ASAP. The last paragraph of this article focuses on its removal, so continue reading if you have discovered FormBook on your PC and want to erase it.

Where does FormBook come from?

As mentioned at the beginning of this report, FormBook might be spread via PDFs, DOC and XLS files, and archive files; however, it does not mean that other distribution methods cannot be used to spread it either. Researchers say that this Trojan might even pretend to be a cracker or a keygen. Stay away from suspicious emails with attachments and download software only from trustworthy pages in order not to discover malware on your computer. Additionally, make sure your security software is always enabled on your computer.

How to delete FormBook

You must erase FormBook from your system as soon as possible if it has already turned out that you have it active on your system. It will be extremely difficult to erase it manually because it has a bunch of components, so we highly recommend that you use an automated antimalware tool to clean your system this time. If you still decide to erase it manually, follow the step-by-step removal guide you will find if you scroll down. You cannot leave a single malicious component active if you do not want this threat to continue performing malicious activities on your computer.

FormBook removal guide

  1. Open Registry Editor (press Win+R, type regedit in the command line, and click OK).
  2. Open the following registry keys and search for malicious Values associated with FormBook:
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  1. Right-click on the malicious Value and select Delete.
  2. If you find malicious Values, check locations they are pointing to and remove malicious components.
  3. Close Registry Editor and tap Win+E.
  4. Go to %ProgramFiles%, %CommonProgramFiles%, %USERPROFILE%, %APPDATA%, and %TEMP% directories.
  5. Remove malicious files.
  6. Empty Trash.
  7. Scan your system with an antimalware scanner in order not to leave any malicious components active.
100% FREE spyware scan and
tested removal of FormBook*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *