292835 - virus infection by simply opening a malicious web page

Status: RESOLVED WORKSFORME

(Firefox :: Security, defect)

Description

[vgrinberg]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Simply opening zhopa.net results in a viral process running, and dropping a
payload.  In my case the payload has been detected by AVG and deleted.  The
initial viral process seems to run (according to Task Manager) from the binary
called bitmap.tmp.

What's particularly bad about this, is that there is no user interaction
required to run a binary off of a malicious web site.


Reproducible: Always

Steps to Reproduce:
Have AVG antivirus installed
Have Task Manager open

1. Type zhopa.net in address bar and hit enter
2. Watch your box get infected
3. Enjoy:-)

Actual Results:  
1. Task manager briefly shows "bitmap.tmp" process.  The process seems to run
only briefly, so Task Manager won't show it every time, you might have to try it
several times

2. AVG antivirus reports infected file "sbar[1]" in the cache directory, which
gets deleted all by itself.

3. AVG antivirus reports infected file C:\WINDOWS\system32\t.exe.


Expected Results:  
:-)

Comment 1

[Matthias Versen [:Matti]]

Which JRE Version Do you use ? 
(see "about:plugins" as URl)

Comment 2

[Frank Wein [:mcsmurf]]

(In reply to comment #0)
> 2. AVG antivirus reports infected file "sbar[1]" in the cache directory, which
> gets deleted all by itself.

Are you sure this was caused by Firefox? Firefox doesn't create Cache files like
this, Cache files in FF are normally named like this (for example) FA123DC4d01;
that file name looks like it's coming from IE Cache.

Comment 3

[William Cline]

Unable to reproduce. No new information, marking as WORKSFORME.