Mozilla warns over Firefox Trojan

Simon · Oct 27, 2010, 12:17:22

Mozilla has warned about a critical zero-day vulnerability affecting Firefox 3.5 and Firefox 3.6 users.

"We have received reports from several security research firms that have found exploit code leveraging this vulnerability in the wild," Mozilla said on its security blog.

According to Mozilla, the problem first surfaced on the Nobel Peace Prize website. Access to that site has now been blocked, but the browser developer warned that other sites could be infected and said "users who visited an infected site could have been affected by the malware".

Read more: http://www.pcpro.co.uk/news/security/362266/mozilla-warns-over-firefox-trojan

Rik · Oct 27, 2010, 12:32:36

It's time to have one machine for accessing the web, independent of all others on a network.

DorsetBoy · Oct 28, 2010, 07:37:12

Patched in 3.6.12

Rik · Oct 28, 2010, 08:31:04

Thanks, Dorset, I am.

Baz · Oct 28, 2010, 18:11:31

what was the trojan name?

I had some bother yesterday and got hit with some thing some how

dont know how as its very rare for me to even get warnings.NOD kept blocking something,I got about 45 failed to send email messages ..nothing I had sent....my system slowed to a crawl and task manager was showing cpu usage as 100%

eventually got a av scan/spyware/malware done and it found some variant of win32/ramnit virus.

I didnt even have any system restore points showing so couldnt do that.

weird

Rik · Oct 28, 2010, 18:17:26

No-one seems to have said, Baz.

Steve · Oct 28, 2010, 18:44:30

Ramnit.A seems pretty nasty and not easy to rid can even spread to external drives

Rik · Oct 28, 2010, 18:46:49

I really am beginning to think of having a net machine which I image up in Acronis and then just re-install if there's problem. Isolate it from other machines on the network, but give it access to printers.

DorsetBoy · Oct 28, 2010, 18:53:40

Dual boot with Linux ............. internet access via Linux and Windows for everything else.

Rik · Oct 28, 2010, 18:55:00

That would be another way, certainly.

MisterW · Oct 28, 2010, 19:08:46

Or a VM using VirtualBox ( or VMWare ). Make a shapshot of the VM ( before doing anything! ) and then if needs be just restore from the snaphot.

Or even simpler, just keep a Linux Live CD and boot it up for browsing etc

Rik · Oct 28, 2010, 19:15:39

Plenty of good ideas to chew on there. Thanks.

pctech · Oct 28, 2010, 20:47:44

likely to break your teeth if you chew on a CD.

Technical Ben · Oct 29, 2010, 09:56:48

Quote from: Rik on Oct 27, 2010, 12:32:36
It's time to have one machine for accessing the web, independent of all others on a network.

Or a VM machine. Windows 7 almost does this now. However, there is always the "I'll transfer that download to"... BAM Virus.

Baz · Oct 29, 2010, 20:36:15

Quote from: Steve on Oct 28, 2010, 18:44:30
Ramnit.A seems pretty nasty and not easy to rid can even spread to external drives

DAMN

got hit with that somehow and cant get system running well at all.every time i plug in to router my cpu usage shoots up to 100% and slows every thing down.no malware finds or spyware but had loads of AV infiltrations. got rid of them,I think,but still having trouble .

HELP!!!!!!!!!

Glenn · Oct 29, 2010, 20:41:36

Quote from: Steve on Oct 28, 2010, 18:44:30
Ramnit.A seems pretty nasty and not easy to rid can even spread to external drives

I spent 4 hours with this worm (W32/Ramnit.A!htm) today, I'm sad to say, it beat me.

The laptop is being rebuilt.

DorsetBoy · Oct 29, 2010, 20:46:07

Quote from: Baz on Oct 29, 2010, 20:36:15
DAMN

got hit with that somehow and cant get system running well at all.every time i plug in to router my cpu usage shoots up to 100% and slows every thing down.no malware finds or spyware but had loads of AV infiltrations. got rid of them,I think,but still having trouble .

HELP!!!!!!!!!

http://forums.techguy.org/virus-other-malware-removal/938626-win32-ramnit-worm-hijack-log.html Look at Combofix.

http://www.google.co.uk/search?client=opera&rls=en&q=Ramnit.A&sourceid=opera&ie=utf-8&oe=utf-8

pctech · Oct 29, 2010, 20:46:40

Oh dear, seems the malware authors are becoming brighter by the day.

DorsetBoy · Oct 29, 2010, 20:47:27

Quote from: Glenn on Oct 29, 2010, 20:41:36
I spent 4 hours with this worm (W32/Ramnit.A!htm) today, I'm sad to say, it beat me. The laptop is being rebuilt.

http://forums.techguy.org/virus-other-malware-removal/938626-win32-ramnit-worm-hijack-log.html COMBOFIX is said to be what you need.

Glenn · Oct 29, 2010, 20:54:47

Now why couldn't I find that this morning?

Baz · Oct 29, 2010, 21:08:43

how do I save it to my desktop if I cant get online as the computer is slow as

pctech · Oct 29, 2010, 21:12:05

If you can get to the page, right click the link and select Save Target As.../Save Link As...., if accessing from a mobile you might have a bit of trouble.

pctech · Oct 29, 2010, 21:13:25

Might be an idea to try booting in Safe Mode (Start PC and keep tapping F8 until you get the startup menu) select safe mode with networking and go direct to that site.

Baz · Oct 29, 2010, 21:23:15

i got it on a pendrive thanks and its struggling to download whatever it needs from M/Soft.

my main problem is why my cpu usage is 100% nothing is running in background but it shoots right up as soon as i plug in to router

Baz · Oct 29, 2010, 21:25:55

does this Combofix actually fix a problem or just give a log file

Steve · Oct 29, 2010, 21:34:03

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It removes what it can and produces a log file.

pctech · Oct 29, 2010, 21:40:59

Pass, FF patched itself earlier so am immune from the pox so luckily not had to run it.

Baz · Oct 30, 2010, 20:08:35

well I dont know what happened or what i've done but its running now.....to a certain degree.But heres a strange one, was on google and clicked a link and CPU usage shot right up to 100% again and it took me to some totally random site not the one I wanted.So I tried again with a google search of 'Dogs' clicked a link, any one and again I got some wild site full of ads.It only does this 100% thing on google it seems at the moment.

Any ideas.Theres something still not right with my system some where.I have the latest version of FF in case it was that just got it tonight.

Simon · Oct 30, 2010, 20:14:59

You seem to have some malware on board, Baz. Suggest Super AntiSpyware and / or Malwarebytes.

DorsetBoy · Oct 31, 2010, 06:46:14

Try these online scanners Baz :

http://www.eset.com/online-scanner

http://housecall.trendmicro.com/uk/

http://www.pandasecurity.com/activescan/index/?track=100737

the problem with a lot of the worm type infections is that they need manual removal from the registry.

Baz · Oct 31, 2010, 09:44:33

thanks guys will try those links if i get running again.have both those progs Simon and Malware did find something but today as soon as I booted up I got the same 100% cpu usage problem.Ran Combofix again but now im stuck on the windows welcome screen

Its getting annoying now.cant even get it to run so I can save files and stuff and do a clean install.

Simon · Oct 31, 2010, 09:52:24

Safe mode?

DorsetBoy · Oct 31, 2010, 12:58:27

Quote from: Rik on Oct 28, 2010, 18:46:49
I really am beginning to think of having a net machine which I image up in Acronis and then just re-install if there's problem. Isolate it from other machines on the network, but give it access to printers.

A simple answer that certainly works is the new Avast Internet Suite which offers a superb Sandbox virtualisation system for any application you choose.

I had shied away from any of the suites/av-firewall combos due to the often dire effects on performance and the fact that mnay of them actually are proven to give less protection than many of the free offerings.

Wanting something else to do I have over the last couple of weeks tried applications from the top of the VB100 list. G-Data,Ikarus and TrustPort . G-Data and Trustport had several applications , each of which I found to be hopeless as they bogged down my system to the point of being unusable.

Having gone back to Avast5 Free the GUI has been carrying an upgrade offer,50% discount time limited, for their new suite. So for the last few days the trial version has been running on 2 machines here and I have to say it is excellent. There is zero lag even running a browser in Sandbox mode.

This system means you can visit suspect (or even known bad sites) and your system is secure from attack and any application you are unsure of can be run in the Sandbox to check its function without it being able to execute on your machine.

( To get the 50% upgrade discount it looks like you need to install the free version first)

Baz · Oct 31, 2010, 18:30:28

well...here I go again,trying to get the thing running that is

.had to do a clean install so i'm in the proceeds of getting it back to how I like it so beware of lots of daft questions in the next few days

starting with how do I change the keyboard to english one,at the moment I cant type some symbols the 'at' one for example types as this " I just cant remember how to do it

Rik · Oct 31, 2010, 18:36:33

Control Panel > Regional & Language options, Baz.

Baz · Oct 31, 2010, 18:42:45

tried that but didnt see any thing connected with the keyboard.have the country correct, does it need a restart?

Rik · Oct 31, 2010, 18:45:42

That should knock through to the keyboard as I recall it, Baz. Reboot anyway.

DorsetBoy · Oct 31, 2010, 18:47:59

Which version of Windows Baz?

pctech · Oct 31, 2010, 18:50:10

Booting into Safe Mode should stop it from loading as chances are its added a registry key to start itself as a system service.

Baz · Oct 31, 2010, 18:51:24

XP Dorset if you have any tips for me but......@@@@@@@ I found it thanks.that daft EN symbol on the taskbar has a settings option in the menu.

Baz · Oct 31, 2010, 18:54:23

heres a question I just remembered,after a clean install do I need to activate windies again? still using the same disc which has already been done whenever I got it,will it stop working if I dont,and how do I stop the 'activate this now...'bubble showing up

pctech · Oct 31, 2010, 18:55:04

You will need to Baz.

pctech · Oct 31, 2010, 18:56:31

You can activate as many times as you need, the complication can occur if you change something such as your CPU as the hardware hash changes.

Baz · Oct 31, 2010, 19:05:46

thanks

pctech · Oct 31, 2010, 19:06:55

NP

Glenn · Nov 01, 2010, 12:14:18

Ramnit.a!htm - the advice is to rebuild.

http://www.bleepingcomputer.com/forums/topic354757.html/page__p__1983863__hl__ramnit__fromsearch__1#entry1983863

Gary · Nov 01, 2010, 12:16:29

If you activate to many times and its a retail version you may have to call in for a code to type in from what I recall.

Rik · Nov 01, 2010, 12:35:52

Deep joy, Glenn.

zappaDPJ · Nov 01, 2010, 12:52:54

Quote from: Gary on Nov 01, 2010, 12:16:29
If you activate to many times and its a retail version you may have to call in for a code to type in from what I recall.

I've actually had cause to test that out recently with a retail copy of Vista. Long story short the PC would install and then fail to see the installation as valid due to what turned out to be a hardware fault. This happened at least five times, possibly as many as ten and every time Vista would authenticate with Microsoft.

I was rather surprised at that so I'm wondering just how many times you can reinstall or if there's a different criteria i.e. hardware mapping to a signature tied to the key.

Glenn · Nov 01, 2010, 13:00:05

Quote from: Gary on Nov 01, 2010, 12:16:29
If you activate to many times and its a retail version you may have to call in for a code to type in from what I recall.

If it is stored by MS, the same way as XP. Then after 6 months the records are deleted, so the codes will work again, without need to contact MS.