Generic.dx!707DA3A8

-- Update December 4, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/12/04/firefox_plug_in_trojan/

This malware is detected by McAfee as Generic.dx.

Once executed, this malware attempts to obtain credentials when an affected host browses to one of the following sites:

53.com
abbeynational.co.uk
adelaidebank.com.au
akbank.com,
anbusiness.com
anz.com
areasegura.banif.es
arquia.es
banca.cajaen.es
bancaeuro.it
bancagenerali.it
bancaintesa.it
bancajaproximaempresas.com
bancamarch.es
bancamediolanum.it
bancogallego.es
bancoherrero.com
bancopastor.es
bancopopular.es
banesto.es
banking.*.de
banking.first-direct.com
bankoa.es
bankofamerica
banksa.com
banquepopulaire.fr
barclays.com
bbvanetoffice.com
bcp.it
bgnetplus.com
boq.com.au
bv-i.bancodevalencia.es
caixa*.es
caixamanlleu.es
caixasabadell.net
caja*.es
carifvg.com
cariparma.it
cariparo.it
carisbo.it
carnet.cajarioja.es
caterallenonline.co.uk
ccm.es
chase.com
citizensbankonline.com
clavenet.net
co-operativebank.co.uk
co-operativebankonline.co.uk
credem.it
csebanking.it
e-gold.com
elmonte.es
fibancmediolanum.es
fineco.it
fmbcc.bcc.it
gbw2.it
gruposantander.es
gruppocarige.it
gruppocarige.it/grps/vbank/jsp/login.jsp
halifax-online.co.uk
hsbc.co
ibank.cahoot.com
ibercajadirecto.com
in-biz.it
intelvia.cajamurcia.es
isideonline.it
islamic-bank.com
itibank.co.uk
iwbank.it
kfhonline.com
lloydstsb.co.uk
my.if.com
mybankoffshore.alil.co.im
mybusinessbank.co.uk
nationet.com
natwestibanking.com
net.kutxa.net
online.co.uk
online.hbs.net.au
onlinebanking.nationalcity.com
openbank.es
paypal.com
pncs.com.au
popso.it
poste.it
procreditbank.bg
quiubi.it
sabadellatlantico.com
schwab.com
secservizi.it
smile.co.uk
suncorpmetway.com.au
suntrust.com
tdcanadatrust.com
unibanking.it
unipolbanca.it
uno-e.com
usbank.com
wachovia.com
wamu.com
wellsfargo.com
westpac.com.au
www.qccu.com.au

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll
%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js
%Program Files%\Mozilla Firefox\chrome\chrome\content\browser.xul

• Presence of file(s) as previously mentioned.
• Unexpected network connections.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.