Generic.dx!707DA3A8

Content

Generic.dx!707DA3A8

Type: Trojan
SubType: Password Stealer
Discovery Date: 12/04/2008
Length: 22,016 bytes
Minimum DAT: 5436 (11/16/2008)
Updated DAT: 5436 (11/16/2008)
Minimum Engine: 5.2.00
Description Added: 12/04/2008
Description Modified: 12/06/2008 8:32 AM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update December 4, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/12/04/firefox_plug_in_trojan/

This malware is detected by McAfee as Generic.dx.

Once executed, this malware attempts to obtain credentials when an affected host browses to one of the following sites:

53.com
abbeynational.co.uk
adelaidebank.com.au
akbank.com,
anbusiness.com
anz.com
areasegura.banif.es
arquia.es
banca.cajaen.es
bancaeuro.it
bancagenerali.it
bancaintesa.it
bancajaproximaempresas.com
bancamarch.es
bancamediolanum.it
bancogallego.es
bancoherrero.com
bancopastor.es
bancopopular.es
banesto.es
banking.*.de
banking.first-direct.com
bankoa.es
bankofamerica
banksa.com
banquepopulaire.fr
barclays.com
bbvanetoffice.com
bcp.it
bgnetplus.com
boq.com.au
bv-i.bancodevalencia.es
caixa*.es
caixamanlleu.es
caixasabadell.net
caja*.es
carifvg.com
cariparma.it
cariparo.it
carisbo.it
carnet.cajarioja.es
caterallenonline.co.uk
ccm.es
chase.com
citizensbankonline.com
clavenet.net
co-operativebank.co.uk
co-operativebankonline.co.uk
credem.it
csebanking.it
e-gold.com
elmonte.es
fibancmediolanum.es
fineco.it
fmbcc.bcc.it
gbw2.it
gruposantander.es
gruppocarige.it
gruppocarige.it/grps/vbank/jsp/login.jsp
halifax-online.co.uk
hsbc.co
ibank.cahoot.com
ibercajadirecto.com
in-biz.it
intelvia.cajamurcia.es
isideonline.it
islamic-bank.com
itibank.co.uk
iwbank.it
kfhonline.com
lloydstsb.co.uk
my.if.com
mybankoffshore.alil.co.im
mybusinessbank.co.uk
nationet.com
natwestibanking.com
net.kutxa.net
online.co.uk
online.hbs.net.au
onlinebanking.nationalcity.com
openbank.es
paypal.com
pncs.com.au
popso.it
poste.it
procreditbank.bg
quiubi.it
sabadellatlantico.com
schwab.com
secservizi.it
smile.co.uk
suncorpmetway.com.au
suntrust.com
tdcanadatrust.com
unibanking.it
unipolbanca.it
uno-e.com
usbank.com
wachovia.com
wamu.com
wellsfargo.com
westpac.com.au
www.qccu.com.au

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll
%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js
%Program Files%\Mozilla Firefox\chrome\chrome\content\browser.xul

Symptoms

Presence of file(s) as previously mentioned.
Unexpected network connections.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This malware attempts to obtain password information when users browse to certain Web sites by disguising itself as a Firefox plugin.

Aliases

Trojan.PWS.ChromeInject.B (BitDefender)

Characteristics

Characteristics -