SYMPTOMS:
Presence of the:
"%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
"%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js"
files in the Mozilla Firefox's plugins and chrome folders.
TECHNICAL DESCRIPTION:
It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.
It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials.
akbank.com
caixasabadell.net
credem.it
areasegura.banif.es
banca.cajaen.es
openbank.es
poste.it
banesto.es
carnet.cajarioja.es
gruposantander.es
intelvia.cajamurcia.es
net.kutxa.net
bancopastor.es
bancamarch.es
caixamanlleu.es
elmonte.es
ibercajadirecto.com
bancopopular.es
bancogallego.es
bancajaproximaempresas.com
caixa*.es
caja*.es
ccm.es
bancoherrero.com
bankoa.es
bbvanetoffice.com
bgnetplus.com
bv-i.bancodevalencia.es
clavenet.net
fibancmediolanum.es
sabadellatlantico.com
arquia.es
banking.*.de
westpac.com.au
adelaidebank.com.au
pncs.com.au
nationet.com
online.hbs.net.au
www.qccu.com.au
boq.com.au
banksa.com
anz.com
suncorpmetway.com.au
quiubi.it
cariparma.it
bancaintesa.it
popso.it
fmbcc.bcc.it
secservizi.it
bancamediolanum.it
csebanking.it
fineco.it
gbw2.it
gruppocarige.it
in-biz.it
isideonline.it
iwbank.it
bancaeuro.it
bancagenerali.it
bcp.it
unibanking.it
uno-e.com
unipolbanca.it
carifvg.com
cariparo.it
carisbo.it
islamic-bank.com
banking.first-direct.com
natwestibanking.com
itibank.co.uk
co-operativebank.co.uk
lloydstsb.co.uk
mybankoffshore.alil.co.im
abbeynational.co.uk
mybusinessbank.co.uk
barclays.com
online.co.uk
my.if.com
anbusiness.com
hsbc.co
anbusiness.com
co-operativebankonline.co.uk
halifax-online.co.uk
ibank.cahoot.com
smile.co.uk
caterallenonline.co.uk
tdcanadatrust.com
schwab.com
wachovia.com
bankofamerica
kfhonline.com
wamu.com
wellsfargo.com
procreditbank.bg
chase.com
53.com
citizensbankonline.com
e-gold.com
paypal.com
usbank.com
suntrust.com
banquepopulaire.fr
onlinebanking.nationalcity.com
It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox's chrome environment.
Removal instructions:
Close the Firefox browser (if opened).
Please let BitDefender disinfect your files.
ANALYZED BY:
Marusceac Claudiu Florin, virus researcher