A family of Trojans designed to send out spam messages. Trojan.OneX.1 replaces messages sent by the user via Facebook chat with lines from the configuration file downloaded by the Trojan from a remote server.
The malware checks the presence of its copy via the 1xfbmain mutex. Then it looks for firefox, IEXPLORE, and iexplore processes and, using a mutex with the process PID, injects itself into these processes granting control to a special procedure. Once an hour the malicious program downloads an updated configuration file. When operating in IE, Trojan.OneX.1 intercepts the InternetWriteFile function; when operating in Firefox, the PR_Write function from nspr4.dll is intercepted.
Trojan.OneX.2 exploits pidgin, skype, msnmsgr, aim, icq.exe, yahoom, ymsg_tray.exe, googletalk, and xfire.exe processes. Unlike Trojan.OneX.1, it can use configuration data in Unicode format.
Depending on IM clients detected by the Trojan, messages are sent using different algorithms; at that, mouse and keyboard input is always blocked.