Closed
Bug 516112
Opened 15 years ago
Closed 8 years ago
find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll][@ Scxpx86.dll@0x47629][@ Scxpx86.dll@0x46ff9][@ Scxpx86.dll@0x46f49]
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: chofmann, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: user-doc-needed)
Crash Data
Attachments
(1 file)
95.01 KB,
image/png
|
Details |
I've been seeing a strange .dll show up as the crash point where many users also comment in soccoro that they believe their system has been infected with malware.
here are some examples of reports
1AD5B854.x86.dll@0x4182
does this crash have to do with a virus?
http://www.tazinga.com/directory/results/how%20to%20play%20dire%20dire%20docks?_session_id=201790494c8fcbc7aaa664c16e7dc873
Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 3
20090907-crashdata.csv http://crash-stats.mozilla.com/report/index/66cc8b83-ffb5-4cd5-abbc-8f1342090906
41E9DDBC.x86.dll@0x4182
Got a friggin huge virus I guess...
http://btcar.com/
Firefox 3.0.13 Windows NT 5.1.2600 Service Pack 3
20090902-crashdata.csv http://crash-stats.mozilla.com/report/index/95d9924d-afa6-47bc-8b54-70b9e2090901
445BB8EC.x86.dll@0x4182
Virus?
http://www.google.com/search?q=ceo&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Firefox 3.5.2 Windows NT 6.0.6001 Service Pack 1
20090903-crashdata.csv http://crash-stats.mozilla.com/report/index/5c99ee98-a04b-4818-9531-616d72090902
@0x0 | nsGetInterface::operator()(nsID const&, void**)
virus
Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 2
20090902-crashdata.csv http://crash-stats.mozilla.com/report/index/de0f1f81-1b87-4f96-a499-6def62090901
@0x1162cd7
I think we have some viruses on this computer, can you guys help us?
Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 3
20090906-crashdata.csv http://crash-stats.mozilla.com/report/index/64f48da1-28ce-4563-bff7-6f7f32090905
@0x8feedb7f
wahrscheinlich ein virus?
Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 2
20090906-crashdata.csv http://crash-stats.mozilla.com/report/index/a1d5ea6f-6d54-4fb8-9c6d-b671c2090905
here is a more comprehensive sample signature list of all *.x86.dll crashes from 9/1/2009
6 AE2F140C.x86.dll@0x2f64
3 F8CEBA42.x86.dll@0x2f16
3 AE3DD3AA.x86.dll@0x2f64
3 79857322.x86.dll@0x4182
3 5DD933B2.x86.dll@0x4182
2 D607C6D2.x86.dll@0x4182
2 D53ACF78.x86.dll@0x4182
2 D437B422.x86.dll@0x4182
2 C028C746.x86.dll@0x4182
2 B876AA44.x86.dll@0x4182
2 A2252BF7.x86.dll@0x5ce7
2 8B85DC14.x86.dll@0x4182
2 6A61DF90.x86.dll@0x4182
2 4BD0D1A0.x86.dll@0x4182
2 41AE180C.x86.dll@0x2f16
2 4016491A.x86.dll@0x4a58
2 37368BEE.x86.dll@0x2f64
2 319B6E80.x86.dll@0x4182
2 2E66C6E4.x86.dll@0x4182
2 1ECC9912.x86.dll@0x5ce7
2 119362E0.x86.dll@0x4182
1 memcpy | A76501C2.x86.dll@0x3b89
1 memcpy | @0x1961efa | @0x1962305 | 00645788.x86.dll@0x28a3
1 memcpy | 454E0A78.x86.dll@0x381e
1 memcpy | 28928D08.x86.dll@0x3b89
1 FF8C1A00.x86.dll@0x4182
1 FF21B2F0.x86.dll@0x4182
1 FE96C096.x86.dll@0x4182
1 FDD1342C.x86.dll@0x41af
1 FB001E84.x86.dll@0x4182
1 FA551FC4.x86.dll@0x28c0
1 F9D22160.x86.dll@0x4182
1 F7863568.x86.dll@0x4182
1 F6D76051.x86.dll@0x4182
1 F416C150.x86.dll@0x4182
1 F3397720.x86.dll@0x4182
1 F08668EE.x86.dll@0x4182
1 EF7E2700.x86.dll@0x4182
1 EE979BB4.x86.dll@0x4182
1 EB96583C.x86.dll@0x4182
1 E7C7D09E.x86.dll@0x2f64
1 E65090BE.x86.dll@0x41af
1 E23E2D88.x86.dll@0x4182
1 E06F092E.x86.dll@0x4182
1 DD4DD5F8.x86.dll@0x4182
1 D7334F32.x86.dll@0x4182
1 D59CF1DC.x86.dll@0x2f16
1 D5608DCA.x86.dll@0x41af
1 D453B460.x86.dll@0x4182
1 D2AC8A44.x86.dll@0x4182
1 D14D02EE.x86.dll@0x2f64
1 D04F0380.x86.dll@0x4182
1 CE84BFF6.x86.dll@0x4182
1 CE33E8B8.x86.dll@0x41af
1 CA5275FB.x86.dll@0x4182
1 C9162814.x86.dll@0x4182
1 C8FA8BF6.x86.dll@0x4182
1 C84CD552.x86.dll@0x4182
1 C67ECBEC.x86.dll@0x4182
1 C5820496.x86.dll@0x4182
1 C551737C.x86.dll@0x2f4c
1 BEDF8521.x86.dll@0x4182
1 BDC5C21C.x86.dll@0x2f64
1 BD235BC4.x86.dll@0x4182
1 BBE35302.x86.dll@0x4182
1 BB7BFB70.x86.dll@0x4182
1 B9A82BE8.x86.dll@0x4182
1 B6D4FD68.x86.dll@0x4182
1 B5B82FC8.x86.dll@0x4182
1 B2543354.x86.dll@0x4182
1 AF74D2F0.x86.dll@0x41af
1 AD7EB45C.x86.dll@0x4182
1 AC59E474.x86.dll@0x4182
1 ABF2FC28.x86.dll@0x4182
1 AB85171A.x86.dll@0x4182
1 AB166B58.x86.dll@0x4182
1 AA9419E3.x86.dll@0x4182
1 A781AC0C.x86.dll@0x4182
1 A3D45CDC.x86.dll@0x4182
1 A2252BF7.x86.dll@0xa3
1 A10C50F8.x86.dll@0x4182
1 9F352DA0.x86.dll@0x4182
1 9D6B7CA6.x86.dll@0x4182
1 9B0DF960.x86.dll@0x4182
1 97ED9C7A.x86.dll@0x4182
1 963313F8.x86.dll@0x4182
1 96236A90.x86.dll@0x4182
1 951631FE.x86.dll@0x4182
1 92EF478A.x86.dll@0x4182
1 91DEE058.x86.dll@0x4182
1 8FA96184.x86.dll@0x4182
1 8DF72BEC.x86.dll@0x4182
1 8BECA7B8.x86.dll@0x4182
1 8B539A3F.x86.dll@0x4182
1 89999BC2.x86.dll@0x4182
1 88EB655E.x86.dll@0x4182
1 88E8EE40.x86.dll@0x4182
1 88B52402.x86.dll@0x4182
1 883A5B34.x86.dll@0x4182
1 855C30BE.x86.dll@0x4182
1 8313BC52.x86.dll@0x4182
1 8309C168.x86.dll@0x4182
1 82B17A44.x86.dll@0x4182
1 80C22B97.x86.dll@0x4182
1 7D7504D0.x86.dll@0x4182
1 7AC0B7CA.x86.dll@0x4182
1 78096C26.x86.dll@0x4182
1 779FF69A.x86.dll@0x4182
1 768CC8C2.x86.dll@0x2f64
1 76459066.x86.dll@0x4182
1 763ED346.x86.dll@0x4182
1 758EB076.x86.dll@0x4182
1 71E8BCF6.x86.dll@0x4182
1 709866EC.x86.dll@0x2f64
1 6E60DAF0.x86.dll@0x4182
1 6D5964A8.x86.dll@0x4182
1 6CA5AC28.x86.dll@0x4182
1 69F8D23A.x86.dll@0x4182
1 69CFF01C.x86.dll@0x4182
1 68C177BC.x86.dll@0x4182
1 671B78AC.x86.dll@0x4182
1 6680F128.x86.dll@0x4182
1 659A491E.x86.dll@0x4182
1 642C81BE.x86.dll@0x4182
1 627C86C6.x86.dll@0x4182
1 62585EF2.x86.dll@0x4182
1 5E9C106E.x86.dll@0x4182
1 5E82DDD6.x86.dll@0x4182
1 5DC4E8C2.x86.dll@0x4182
1 57ECCDF2.x86.dll@0x4182
1 54727354.x86.dll@0x4182
1 5169FB40.x86.dll@0x4182
1 515A959D.x86.dll@0x4182
1 50CC2EA0.x86.dll@0x4182
1 4CBB10D0.x86.dll@0x4182
1 47CB9DEC.x86.dll@0x4182
1 46E53D02.x86.dll@0x4182
1 46BBFB46.x86.dll@0x4182
1 46ADAE34.x86.dll@0x2f16
1 46544CE2.x86.dll@0x4182
1 451C1F8E.x86.dll@0x4182
1 44958424.x86.dll@0x4182
1 3F446C86.x86.dll@0x2f16
1 3EFEE4B8.x86.dll@0x2f95
1 3EBDBA8B.x86.dll@0x5ce7
1 3B393653.x86.dll@0x4182
1 3A8817CA.x86.dll@0x4182
1 39D78C1E.x86.dll@0x4182
1 38933F3C.x86.dll@0x4182
1 34F8F202.x86.dll@0x4182
1 3473FC6E.x86.dll@0x41af
1 344A76EE.x86.dll@0x4182
1 343DE178.x86.dll@0x4182
1 3316AEF4.x86.dll@0x4182
1 325B0E12.x86.dll@0x4182
1 2F7CE442.x86.dll@0x4182
1 2D3B6B6E.x86.dll@0x4182
1 2D013310.x86.dll@0x4182
1 2CB89122.x86.dll@0x4182
1 29D16BE8.x86.dll@0x4182
1 28F75A04.x86.dll@0x4182
1 256598B4.x86.dll@0x4182
1 23FE8764.x86.dll@0x4182
1 220D49A8.x86.dll@0x4182
1 1FDE990D.x86.dll@0x4182
1 1F26F960.x86.dll@0x4182
1 1D10A2BA.x86.dll@0x4182
1 1C6EFE3E.x86.dll@0x4182
1 1B534B98.x86.dll@0x4182
1 1909D706.x86.dll@0x4182
1 18431EFC.x86.dll@0x2f64
1 14BBA7F3.x86.dll@0x4182
1 13C9B6BC.x86.dll@0x4182
1 0D973B5C.x86.dll@0x2f16
1 0B72DDE6.x86.dll@0x4182
1 066F3C04.x86.dll@0x4182
1 01078518.x86.dll@0x4182
1 01019DC0.x86.dll@0x4182
I wonder if there might be a way to wild card blocking of all this.
need a bit more research on what this .dll does, and if it is indeed using a modified .dll name (but crashing at the same address -> x86.dll@0x4182) to avoid detection by virus checkers.
Reporter | ||
Comment 1•15 years ago
|
||
about a 25%-50% increase in these kind of crashes since the start of sept.
instances of x86.dll in 20090901-crashdata.csv 207
instances of x86.dll in 20090902-crashdata.csv 267
instances of x86.dll in 20090903-crashdata.csv 286
instances of x86.dll in 20090904-crashdata.csv 312
instances of x86.dll in 20090905-crashdata.csv 231
instances of x86.dll in 20090906-crashdata.csv 245
instances of x86.dll in 20090907-crashdata.csv 254
instances of x86.dll in 20090908-crashdata.csv 292
instances of x86.dll in 20090909-crashdata.csv 387
instances of x86.dll in 20090910-crashdata.csv 401
instances of x86.dll in 20090911-crashdata.csv 355
instances of x86.dll in 20090912-crashdata.csv 364
Reporter | ||
Comment 2•15 years ago
|
||
google searches for x86.dll indicate that the .dll renames itself after every reboot.
http://forums.spybot.info/showthread.php?p=332313
and it might be assoicated with Google search result links being redirected and the Trojan-Spy.Win32.Agent.azpj malware pacakge.
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t256746.html
Trojan-Spy.Win32.Agent.azpj seems to block anti-virus packages and might also lock up Firefox.
http://forums.whatthetech.com/Urgent_Help_needed_Infected_Rootkit_trojan_Troan_Spy_oth_t106906.html
Reporter | ||
Updated•15 years ago
|
Summary: find better protection against possibble virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against possible Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll]
Reporter | ||
Updated•15 years ago
|
Keywords: user-doc-needed
Reporter | ||
Comment 3•15 years ago
|
||
back in august we were getting less than 100 of these crashes per day.
Reporter | ||
Comment 4•15 years ago
|
||
new highs for these signatures in the last few days.
instances of x86.dll in 20090901-crashdata.csv 207
instances of x86.dll in 20090902-crashdata.csv 267
instances of x86.dll in 20090903-crashdata.csv 286
instances of x86.dll in 20090904-crashdata.csv 312
instances of x86.dll in 20090905-crashdata.csv 231
instances of x86.dll in 20090906-crashdata.csv 245
instances of x86.dll in 20090907-crashdata.csv 254
instances of x86.dll in 20090908-crashdata.csv 292
instances of x86.dll in 20090909-crashdata.csv 387
instances of x86.dll in 20090910-crashdata.csv 401
instances of x86.dll in 20090911-crashdata.csv 355
instances of x86.dll in 20090912-crashdata.csv 364
instances of x86.dll in 20090913-crashdata.csv 377
instances of x86.dll in 20090914-crashdata.csv 427
instances of x86.dll in 20090915-crashdata.csv 186
instances of x86.dll in 20090916-crashdata.csv 116
instances of x86.dll in 20090917-crashdata.csv 252
instances of x86.dll in 20090918-crashdata.csv 436
instances of x86.dll in 20090919-crashdata.csv 499
Summary: find better protection against possible Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll]
Reporter | ||
Comment 5•15 years ago
|
||
ok, here is part of the explaination about the increase.
on Sept 15 it appears symantec released a .dll to try and combat *x86.dll vulerabilities, but not that .dll is crashing
[and zero crashes for Scxpx86.dll on previous days...]
0 total crashes for Scxpx86.dll@0x46ff9 on 20090912-crashdata.csv
0 total crashes for Scxpx86.dll@0x46ff9 on 20090913-crashdata.csv
0 total crashes for Scxpx86.dll@0x46ff9 on 20090914-crashdata.csv
0 total crashes for Scxpx86.dll@0x46ff9 on 20090915-crashdata.csv
20 total crashes for Scxpx86.dll@0x46ff9 on 20090916-crashdata.csv
26 total crashes for Scxpx86.dll@0x46ff9 on 20090917-crashdata.csv
114 total crashes for Scxpx86.dll@0x46ff9 on 20090918-crashdata.csv
134 total crashes for Scxpx86.dll@0x46ff9 on 20090919-crashdata.csv
here is the signature, OS, and Firefox version breakdown for Scxpx86 crashes
signature list
134 Scxpx86.dll@0x46ff9
2 Scxpx86.dll@0x1de1d
os breakdown
98 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Service Pack 3
16 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Service Pack 2
11 Scxpx86.dll@0x46ff9 Windows NT 6.0.6002 Service Pack 2
6 Scxpx86.dll@0x46ff9 Windows NT 6.0.6001 Service Pack 1
2 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Szervizcsomag 3
2 Scxpx86.dll@0x1de1d Windows NT 5.1.2600 Service Pack 3
1 Scxpx86.dll@0x46ff9 Windows NT 6.0.6000
distribution of all versions where the Scxpx86.dll crash was found on 20090919-crashdata.csv
100 Firefox 3.5.3
22 Firefox 3.0.14
7 Firefox 3.5.2
2 Firefox 3.0.8
2 Firefox 3.0.11
1 Firefox 3.5
1 Firefox 3.0.2
1 Firefox 3.0.10
ss/kev,
can you point a contact at synmantec at this info or forward contact info and I can?
Updated•15 years ago
|
Severity: normal → critical
Comment 6•15 years ago
|
||
getting a product contact for the A/V engine group. will update as soon as I have it.
Comment 7•15 years ago
|
||
Scxpx86.dll@0x47629 is ranked #52 on Fx 3.6.3 top crash list.
(3334 crash reports in the past two weeks)
Counting all branches, there were ~4800 in the past week, in Scxpx86.dll@*
OS: Mac OS X → Windows XP
Summary: find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll][@ Scxpx86.dll@0x47629][@ Scxpx86.dll@0x46ff9][@ Scxpx86.dll@0x46f49]
Version: 3.5 Branch → unspecified
Comment 8•15 years ago
|
||
Any reason we can't DLL block at least Scxpx86.dll? It won't likely won't help all the [8-hex-numbers-here].dll crashes that started this bug, but it'll stop 4800 crashes a week...
Reporter | ||
Comment 9•15 years ago
|
||
moving some data over from bug 517203 that better fits here.
distribution of *x86dll.dll crashes for yesterday looks like.
signature list
789 Scxpx86.dll@0x47629
17 Scxpx86.dll@0x46ff9
6 Scxpx86.dll@0x53797
6 Scxpx86.dll@0x46f49
4 70E274C8.x86.dll@0x2ae9
2 Scxpx86.dll@0x5e011
2 Scxpx86.dll@0x3ef42
1 memcpy | @0xe62366 | @0xe62775 | CE5A7A00.x86.dll@0x28a3
1 Scxpx86.dll@0x6f1fd
1 Scxpx86.dll@0x1b307
1 Scxpx86.dll@0x12450
1 Scxpx86.dll@0x11181
1 897CB85C.x86.dll@0x2f64
1 054266B9.x86.dll@0x4182
Comment 10•15 years ago
|
||
Any reason we can't block list Scxpx86.dll?
Comment 11•15 years ago
|
||
we could, but in theory these libraries can change their names when they start getting blocked. It's actually better to crash and tell people they need antivirus or to seal the process against third parties.
Updated•8 years ago
|
Crash Signature: [@ Scxpx86.dll@0x46f49]
[@ Scxpx86.dll@0x46ff9]
[@ Scxpx86.dll@0x47629]
[@ Scxpx86.dll@0x4182]
Comment 12•8 years ago
|
||
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•