find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll][@ Scxpx86.dll@0x47629][@ Scxpx86.dll@0x46ff9][@ Scxpx86.dll@0x46f49]

RESOLVED WORKSFORME

Status

()

Firefox
Security
--
critical
RESOLVED WORKSFORME
9 years ago
a year ago

People

(Reporter: chris hofmann, Unassigned)

Tracking

(Blocks: 2 bugs, {user-doc-needed})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
I've been seeing a strange .dll show up as the crash point where many users also comment in soccoro that they believe their system has been infected with malware.

here are some examples  of reports


1AD5B854.x86.dll@0x4182
        does this crash have to do with a virus?
        http://www.tazinga.com/directory/results/how%20to%20play%20dire%20dire%20docks?_session_id=201790494c8fcbc7aaa664c16e7dc873
        Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 3
          20090907-crashdata.csv http://crash-stats.mozilla.com/report/index/66cc8b83-ffb5-4cd5-abbc-8f1342090906

41E9DDBC.x86.dll@0x4182
        Got a friggin huge virus I guess...
        http://btcar.com/
        Firefox 3.0.13 Windows NT 5.1.2600 Service Pack 3
          20090902-crashdata.csv http://crash-stats.mozilla.com/report/index/95d9924d-afa6-47bc-8b54-70b9e2090901

445BB8EC.x86.dll@0x4182
        Virus?
        http://www.google.com/search?q=ceo&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
        Firefox 3.5.2 Windows NT 6.0.6001 Service Pack 1
          20090903-crashdata.csv http://crash-stats.mozilla.com/report/index/5c99ee98-a04b-4818-9531-616d72090902

@0x0 | nsGetInterface::operator()(nsID const&, void**)
        virus
        
        Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 2
          20090902-crashdata.csv http://crash-stats.mozilla.com/report/index/de0f1f81-1b87-4f96-a499-6def62090901

@0x1162cd7
        I think we have some viruses on this computer, can you guys help us?
        
        Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 3
          20090906-crashdata.csv http://crash-stats.mozilla.com/report/index/64f48da1-28ce-4563-bff7-6f7f32090905

@0x8feedb7f
        wahrscheinlich ein virus?
        
        Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 2
          20090906-crashdata.csv http://crash-stats.mozilla.com/report/index/a1d5ea6f-6d54-4fb8-9c6d-b671c2090905




here is a more comprehensive sample signature list of  all *.x86.dll crashes from 9/1/2009

   6 AE2F140C.x86.dll@0x2f64
   3 F8CEBA42.x86.dll@0x2f16
   3 AE3DD3AA.x86.dll@0x2f64
   3 79857322.x86.dll@0x4182
   3 5DD933B2.x86.dll@0x4182
   2 D607C6D2.x86.dll@0x4182
   2 D53ACF78.x86.dll@0x4182
   2 D437B422.x86.dll@0x4182
   2 C028C746.x86.dll@0x4182
   2 B876AA44.x86.dll@0x4182
   2 A2252BF7.x86.dll@0x5ce7
   2 8B85DC14.x86.dll@0x4182
   2 6A61DF90.x86.dll@0x4182
   2 4BD0D1A0.x86.dll@0x4182
   2 41AE180C.x86.dll@0x2f16
   2 4016491A.x86.dll@0x4a58
   2 37368BEE.x86.dll@0x2f64
   2 319B6E80.x86.dll@0x4182
   2 2E66C6E4.x86.dll@0x4182
   2 1ECC9912.x86.dll@0x5ce7
   2 119362E0.x86.dll@0x4182
   1 memcpy | A76501C2.x86.dll@0x3b89
   1 memcpy | @0x1961efa | @0x1962305 | 00645788.x86.dll@0x28a3
   1 memcpy | 454E0A78.x86.dll@0x381e
   1 memcpy | 28928D08.x86.dll@0x3b89
   1 FF8C1A00.x86.dll@0x4182
   1 FF21B2F0.x86.dll@0x4182
   1 FE96C096.x86.dll@0x4182
   1 FDD1342C.x86.dll@0x41af
   1 FB001E84.x86.dll@0x4182
   1 FA551FC4.x86.dll@0x28c0
   1 F9D22160.x86.dll@0x4182
   1 F7863568.x86.dll@0x4182
   1 F6D76051.x86.dll@0x4182
   1 F416C150.x86.dll@0x4182
   1 F3397720.x86.dll@0x4182
   1 F08668EE.x86.dll@0x4182
   1 EF7E2700.x86.dll@0x4182
   1 EE979BB4.x86.dll@0x4182
   1 EB96583C.x86.dll@0x4182
   1 E7C7D09E.x86.dll@0x2f64
   1 E65090BE.x86.dll@0x41af
   1 E23E2D88.x86.dll@0x4182
   1 E06F092E.x86.dll@0x4182
   1 DD4DD5F8.x86.dll@0x4182
   1 D7334F32.x86.dll@0x4182
   1 D59CF1DC.x86.dll@0x2f16
   1 D5608DCA.x86.dll@0x41af
   1 D453B460.x86.dll@0x4182
   1 D2AC8A44.x86.dll@0x4182
   1 D14D02EE.x86.dll@0x2f64
   1 D04F0380.x86.dll@0x4182
   1 CE84BFF6.x86.dll@0x4182
   1 CE33E8B8.x86.dll@0x41af
   1 CA5275FB.x86.dll@0x4182
   1 C9162814.x86.dll@0x4182
   1 C8FA8BF6.x86.dll@0x4182
   1 C84CD552.x86.dll@0x4182
   1 C67ECBEC.x86.dll@0x4182
   1 C5820496.x86.dll@0x4182
   1 C551737C.x86.dll@0x2f4c
   1 BEDF8521.x86.dll@0x4182
   1 BDC5C21C.x86.dll@0x2f64
   1 BD235BC4.x86.dll@0x4182
   1 BBE35302.x86.dll@0x4182
   1 BB7BFB70.x86.dll@0x4182
   1 B9A82BE8.x86.dll@0x4182
   1 B6D4FD68.x86.dll@0x4182
   1 B5B82FC8.x86.dll@0x4182
   1 B2543354.x86.dll@0x4182
   1 AF74D2F0.x86.dll@0x41af
   1 AD7EB45C.x86.dll@0x4182
   1 AC59E474.x86.dll@0x4182
   1 ABF2FC28.x86.dll@0x4182
   1 AB85171A.x86.dll@0x4182
   1 AB166B58.x86.dll@0x4182
   1 AA9419E3.x86.dll@0x4182
   1 A781AC0C.x86.dll@0x4182
   1 A3D45CDC.x86.dll@0x4182
   1 A2252BF7.x86.dll@0xa3
   1 A10C50F8.x86.dll@0x4182
   1 9F352DA0.x86.dll@0x4182
   1 9D6B7CA6.x86.dll@0x4182
   1 9B0DF960.x86.dll@0x4182
   1 97ED9C7A.x86.dll@0x4182
   1 963313F8.x86.dll@0x4182
   1 96236A90.x86.dll@0x4182
   1 951631FE.x86.dll@0x4182
   1 92EF478A.x86.dll@0x4182
   1 91DEE058.x86.dll@0x4182
   1 8FA96184.x86.dll@0x4182
   1 8DF72BEC.x86.dll@0x4182
   1 8BECA7B8.x86.dll@0x4182
   1 8B539A3F.x86.dll@0x4182
   1 89999BC2.x86.dll@0x4182
   1 88EB655E.x86.dll@0x4182
   1 88E8EE40.x86.dll@0x4182
   1 88B52402.x86.dll@0x4182
   1 883A5B34.x86.dll@0x4182
   1 855C30BE.x86.dll@0x4182
   1 8313BC52.x86.dll@0x4182
   1 8309C168.x86.dll@0x4182
   1 82B17A44.x86.dll@0x4182
   1 80C22B97.x86.dll@0x4182
   1 7D7504D0.x86.dll@0x4182
   1 7AC0B7CA.x86.dll@0x4182
   1 78096C26.x86.dll@0x4182
   1 779FF69A.x86.dll@0x4182
   1 768CC8C2.x86.dll@0x2f64
   1 76459066.x86.dll@0x4182
   1 763ED346.x86.dll@0x4182
   1 758EB076.x86.dll@0x4182
   1 71E8BCF6.x86.dll@0x4182
   1 709866EC.x86.dll@0x2f64
   1 6E60DAF0.x86.dll@0x4182
   1 6D5964A8.x86.dll@0x4182
   1 6CA5AC28.x86.dll@0x4182
   1 69F8D23A.x86.dll@0x4182
   1 69CFF01C.x86.dll@0x4182
   1 68C177BC.x86.dll@0x4182
   1 671B78AC.x86.dll@0x4182
   1 6680F128.x86.dll@0x4182
   1 659A491E.x86.dll@0x4182
   1 642C81BE.x86.dll@0x4182
   1 627C86C6.x86.dll@0x4182
   1 62585EF2.x86.dll@0x4182
   1 5E9C106E.x86.dll@0x4182
   1 5E82DDD6.x86.dll@0x4182
   1 5DC4E8C2.x86.dll@0x4182
   1 57ECCDF2.x86.dll@0x4182
   1 54727354.x86.dll@0x4182
   1 5169FB40.x86.dll@0x4182
   1 515A959D.x86.dll@0x4182
   1 50CC2EA0.x86.dll@0x4182
   1 4CBB10D0.x86.dll@0x4182
   1 47CB9DEC.x86.dll@0x4182
   1 46E53D02.x86.dll@0x4182
   1 46BBFB46.x86.dll@0x4182
   1 46ADAE34.x86.dll@0x2f16
   1 46544CE2.x86.dll@0x4182
   1 451C1F8E.x86.dll@0x4182
   1 44958424.x86.dll@0x4182
   1 3F446C86.x86.dll@0x2f16
   1 3EFEE4B8.x86.dll@0x2f95
   1 3EBDBA8B.x86.dll@0x5ce7
   1 3B393653.x86.dll@0x4182
   1 3A8817CA.x86.dll@0x4182
   1 39D78C1E.x86.dll@0x4182
   1 38933F3C.x86.dll@0x4182
   1 34F8F202.x86.dll@0x4182
   1 3473FC6E.x86.dll@0x41af
   1 344A76EE.x86.dll@0x4182
   1 343DE178.x86.dll@0x4182
   1 3316AEF4.x86.dll@0x4182
   1 325B0E12.x86.dll@0x4182
   1 2F7CE442.x86.dll@0x4182
   1 2D3B6B6E.x86.dll@0x4182
   1 2D013310.x86.dll@0x4182
   1 2CB89122.x86.dll@0x4182
   1 29D16BE8.x86.dll@0x4182
   1 28F75A04.x86.dll@0x4182
   1 256598B4.x86.dll@0x4182
   1 23FE8764.x86.dll@0x4182
   1 220D49A8.x86.dll@0x4182
   1 1FDE990D.x86.dll@0x4182
   1 1F26F960.x86.dll@0x4182
   1 1D10A2BA.x86.dll@0x4182
   1 1C6EFE3E.x86.dll@0x4182
   1 1B534B98.x86.dll@0x4182
   1 1909D706.x86.dll@0x4182
   1 18431EFC.x86.dll@0x2f64
   1 14BBA7F3.x86.dll@0x4182
   1 13C9B6BC.x86.dll@0x4182
   1 0D973B5C.x86.dll@0x2f16
   1 0B72DDE6.x86.dll@0x4182
   1 066F3C04.x86.dll@0x4182
   1 01078518.x86.dll@0x4182
   1 01019DC0.x86.dll@0x4182

I wonder if there might be a way to wild card blocking of all this.

need a bit more research on what this .dll does, and if it is indeed using a modified .dll name (but crashing at the same address -> x86.dll@0x4182) to avoid detection by virus checkers.
(Reporter)

Comment 1

9 years ago
about a 25%-50% increase in these kind of crashes since the start of sept.

instances of x86.dll in 20090901-crashdata.csv      207
instances of x86.dll in 20090902-crashdata.csv      267
instances of x86.dll in 20090903-crashdata.csv      286
instances of x86.dll in 20090904-crashdata.csv      312
instances of x86.dll in 20090905-crashdata.csv      231
instances of x86.dll in 20090906-crashdata.csv      245
instances of x86.dll in 20090907-crashdata.csv      254
instances of x86.dll in 20090908-crashdata.csv      292
instances of x86.dll in 20090909-crashdata.csv      387
instances of x86.dll in 20090910-crashdata.csv      401
instances of x86.dll in 20090911-crashdata.csv      355
instances of x86.dll in 20090912-crashdata.csv      364
(Reporter)

Comment 2

9 years ago
google searches for x86.dll indicate that the .dll renames itself after every reboot. 

http://forums.spybot.info/showthread.php?p=332313

and it might be assoicated with Google search result links being redirected and the Trojan-Spy.Win32.Agent.azpj malware pacakge.

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t256746.html

Trojan-Spy.Win32.Agent.azpj  seems to block anti-virus packages and might also lock up Firefox.

http://forums.whatthetech.com/Urgent_Help_needed_Infected_Rootkit_trojan_Troan_Spy_oth_t106906.html
(Reporter)

Updated

9 years ago
Summary: find better protection against possibble virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against possible Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll]
(Reporter)

Updated

9 years ago
Keywords: user-doc-needed
(Reporter)

Comment 3

9 years ago
back in august we were getting less than 100 of these crashes per day.
(Reporter)

Comment 4

9 years ago
new highs for these signatures in the last few days.

instances of x86.dll in 20090901-crashdata.csv      207
instances of x86.dll in 20090902-crashdata.csv      267
instances of x86.dll in 20090903-crashdata.csv      286
instances of x86.dll in 20090904-crashdata.csv      312
instances of x86.dll in 20090905-crashdata.csv      231
instances of x86.dll in 20090906-crashdata.csv      245
instances of x86.dll in 20090907-crashdata.csv      254
instances of x86.dll in 20090908-crashdata.csv      292
instances of x86.dll in 20090909-crashdata.csv      387
instances of x86.dll in 20090910-crashdata.csv      401
instances of x86.dll in 20090911-crashdata.csv      355
instances of x86.dll in 20090912-crashdata.csv      364
instances of x86.dll in 20090913-crashdata.csv      377
instances of x86.dll in 20090914-crashdata.csv      427
instances of x86.dll in 20090915-crashdata.csv      186
instances of x86.dll in 20090916-crashdata.csv      116
instances of x86.dll in 20090917-crashdata.csv      252
instances of x86.dll in 20090918-crashdata.csv      436
instances of x86.dll in 20090919-crashdata.csv      499
Summary: find better protection against possible Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll]
(Reporter)

Comment 5

9 years ago
ok, here is part of the explaination about the increase.

on Sept 15 it appears symantec released a .dll to try and combat *x86.dll vulerabilities, but not that .dll is crashing

[and zero crashes for Scxpx86.dll on previous days...]
0   total crashes for Scxpx86.dll@0x46ff9 on 20090912-crashdata.csv
0   total crashes for Scxpx86.dll@0x46ff9 on 20090913-crashdata.csv
0   total crashes for Scxpx86.dll@0x46ff9 on 20090914-crashdata.csv
0   total crashes for Scxpx86.dll@0x46ff9 on 20090915-crashdata.csv
20   total crashes for Scxpx86.dll@0x46ff9 on 20090916-crashdata.csv
26   total crashes for Scxpx86.dll@0x46ff9 on 20090917-crashdata.csv
114   total crashes for Scxpx86.dll@0x46ff9 on 20090918-crashdata.csv
134   total crashes for Scxpx86.dll@0x46ff9 on 20090919-crashdata.csv


here is the signature, OS, and Firefox version breakdown for Scxpx86 crashes

signature list
 134 Scxpx86.dll@0x46ff9
   2 Scxpx86.dll@0x1de1d

os breakdown
  98 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Service Pack 3
  16 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Service Pack 2
  11 Scxpx86.dll@0x46ff9 Windows NT 6.0.6002 Service Pack 2
   6 Scxpx86.dll@0x46ff9 Windows NT 6.0.6001 Service Pack 1
   2 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Szervizcsomag 3
   2 Scxpx86.dll@0x1de1d Windows NT 5.1.2600 Service Pack 3
   1 Scxpx86.dll@0x46ff9 Windows NT 6.0.6000

distribution of all versions where the Scxpx86.dll crash was found on 20090919-crashdata.csv
 100 Firefox 3.5.3
  22 Firefox 3.0.14
   7 Firefox 3.5.2
   2 Firefox 3.0.8
   2 Firefox 3.0.11
   1 Firefox 3.5
   1 Firefox 3.0.2
   1 Firefox 3.0.10

ss/kev,

can you point a contact at synmantec at this info or forward contact info and I can?

Updated

9 years ago
Severity: normal → critical

Comment 6

9 years ago
getting a product contact for the A/V engine group. will update as soon as I have it.
(Reporter)

Updated

9 years ago
Blocks: 530074
Scxpx86.dll@0x47629 is ranked #52 on Fx 3.6.3 top crash list.
(3334 crash reports in the past two weeks)

Counting all branches, there were ~4800 in the past week, in Scxpx86.dll@*
OS: Mac OS X → Windows XP
Summary: find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll][@ Scxpx86.dll@0x47629][@ Scxpx86.dll@0x46ff9][@ Scxpx86.dll@0x46f49]
Version: 3.5 Branch → unspecified

Comment 8

8 years ago
Any reason we can't DLL block at least Scxpx86.dll? It won't likely won't help all the [8-hex-numbers-here].dll crashes that started this bug, but it'll stop 4800 crashes a week...
(Reporter)

Comment 9

8 years ago
Created attachment 440804 [details]
year to date x86dll crash volume

moving some data over from bug 517203 that better fits here.

distribution of *x86dll.dll crashes for yesterday looks like.

signature list
 789 Scxpx86.dll@0x47629
 17 Scxpx86.dll@0x46ff9
  6 Scxpx86.dll@0x53797
  6 Scxpx86.dll@0x46f49
  4 70E274C8.x86.dll@0x2ae9
  2 Scxpx86.dll@0x5e011
  2 Scxpx86.dll@0x3ef42
  1 memcpy | @0xe62366 | @0xe62775 | CE5A7A00.x86.dll@0x28a3
  1 Scxpx86.dll@0x6f1fd
  1 Scxpx86.dll@0x1b307
  1 Scxpx86.dll@0x12450
  1 Scxpx86.dll@0x11181
  1 897CB85C.x86.dll@0x2f64
  1 054266B9.x86.dll@0x4182
Any reason we can't block list Scxpx86.dll?

Comment 11

8 years ago
we could, but in theory these libraries can change their names when they start getting blocked. It's actually better to crash and tell people they need antivirus or to seal the process against third parties.
Crash Signature: [@ Scxpx86.dll@0x46f49] [@ Scxpx86.dll@0x46ff9] [@ Scxpx86.dll@0x47629] [@ Scxpx86.dll@0x4182]
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.