Closed Bug 516112 Opened 15 years ago Closed 8 years ago

find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll][@ Scxpx86.dll@0x47629][@ Scxpx86.dll@0x46ff9][@ Scxpx86.dll@0x46f49]

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: user-doc-needed)

Crash Data

Attachments

(1 file)

I've been seeing a strange .dll show up as the crash point where many users also comment in soccoro that they believe their system has been infected with malware. here are some examples of reports 1AD5B854.x86.dll@0x4182 does this crash have to do with a virus? http://www.tazinga.com/directory/results/how%20to%20play%20dire%20dire%20docks?_session_id=201790494c8fcbc7aaa664c16e7dc873 Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 3 20090907-crashdata.csv http://crash-stats.mozilla.com/report/index/66cc8b83-ffb5-4cd5-abbc-8f1342090906 41E9DDBC.x86.dll@0x4182 Got a friggin huge virus I guess... http://btcar.com/ Firefox 3.0.13 Windows NT 5.1.2600 Service Pack 3 20090902-crashdata.csv http://crash-stats.mozilla.com/report/index/95d9924d-afa6-47bc-8b54-70b9e2090901 445BB8EC.x86.dll@0x4182 Virus? http://www.google.com/search?q=ceo&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a Firefox 3.5.2 Windows NT 6.0.6001 Service Pack 1 20090903-crashdata.csv http://crash-stats.mozilla.com/report/index/5c99ee98-a04b-4818-9531-616d72090902 @0x0 | nsGetInterface::operator()(nsID const&, void**) virus Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 2 20090902-crashdata.csv http://crash-stats.mozilla.com/report/index/de0f1f81-1b87-4f96-a499-6def62090901 @0x1162cd7 I think we have some viruses on this computer, can you guys help us? Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 3 20090906-crashdata.csv http://crash-stats.mozilla.com/report/index/64f48da1-28ce-4563-bff7-6f7f32090905 @0x8feedb7f wahrscheinlich ein virus? Firefox 3.5.2 Windows NT 5.1.2600 Service Pack 2 20090906-crashdata.csv http://crash-stats.mozilla.com/report/index/a1d5ea6f-6d54-4fb8-9c6d-b671c2090905 here is a more comprehensive sample signature list of all *.x86.dll crashes from 9/1/2009 6 AE2F140C.x86.dll@0x2f64 3 F8CEBA42.x86.dll@0x2f16 3 AE3DD3AA.x86.dll@0x2f64 3 79857322.x86.dll@0x4182 3 5DD933B2.x86.dll@0x4182 2 D607C6D2.x86.dll@0x4182 2 D53ACF78.x86.dll@0x4182 2 D437B422.x86.dll@0x4182 2 C028C746.x86.dll@0x4182 2 B876AA44.x86.dll@0x4182 2 A2252BF7.x86.dll@0x5ce7 2 8B85DC14.x86.dll@0x4182 2 6A61DF90.x86.dll@0x4182 2 4BD0D1A0.x86.dll@0x4182 2 41AE180C.x86.dll@0x2f16 2 4016491A.x86.dll@0x4a58 2 37368BEE.x86.dll@0x2f64 2 319B6E80.x86.dll@0x4182 2 2E66C6E4.x86.dll@0x4182 2 1ECC9912.x86.dll@0x5ce7 2 119362E0.x86.dll@0x4182 1 memcpy | A76501C2.x86.dll@0x3b89 1 memcpy | @0x1961efa | @0x1962305 | 00645788.x86.dll@0x28a3 1 memcpy | 454E0A78.x86.dll@0x381e 1 memcpy | 28928D08.x86.dll@0x3b89 1 FF8C1A00.x86.dll@0x4182 1 FF21B2F0.x86.dll@0x4182 1 FE96C096.x86.dll@0x4182 1 FDD1342C.x86.dll@0x41af 1 FB001E84.x86.dll@0x4182 1 FA551FC4.x86.dll@0x28c0 1 F9D22160.x86.dll@0x4182 1 F7863568.x86.dll@0x4182 1 F6D76051.x86.dll@0x4182 1 F416C150.x86.dll@0x4182 1 F3397720.x86.dll@0x4182 1 F08668EE.x86.dll@0x4182 1 EF7E2700.x86.dll@0x4182 1 EE979BB4.x86.dll@0x4182 1 EB96583C.x86.dll@0x4182 1 E7C7D09E.x86.dll@0x2f64 1 E65090BE.x86.dll@0x41af 1 E23E2D88.x86.dll@0x4182 1 E06F092E.x86.dll@0x4182 1 DD4DD5F8.x86.dll@0x4182 1 D7334F32.x86.dll@0x4182 1 D59CF1DC.x86.dll@0x2f16 1 D5608DCA.x86.dll@0x41af 1 D453B460.x86.dll@0x4182 1 D2AC8A44.x86.dll@0x4182 1 D14D02EE.x86.dll@0x2f64 1 D04F0380.x86.dll@0x4182 1 CE84BFF6.x86.dll@0x4182 1 CE33E8B8.x86.dll@0x41af 1 CA5275FB.x86.dll@0x4182 1 C9162814.x86.dll@0x4182 1 C8FA8BF6.x86.dll@0x4182 1 C84CD552.x86.dll@0x4182 1 C67ECBEC.x86.dll@0x4182 1 C5820496.x86.dll@0x4182 1 C551737C.x86.dll@0x2f4c 1 BEDF8521.x86.dll@0x4182 1 BDC5C21C.x86.dll@0x2f64 1 BD235BC4.x86.dll@0x4182 1 BBE35302.x86.dll@0x4182 1 BB7BFB70.x86.dll@0x4182 1 B9A82BE8.x86.dll@0x4182 1 B6D4FD68.x86.dll@0x4182 1 B5B82FC8.x86.dll@0x4182 1 B2543354.x86.dll@0x4182 1 AF74D2F0.x86.dll@0x41af 1 AD7EB45C.x86.dll@0x4182 1 AC59E474.x86.dll@0x4182 1 ABF2FC28.x86.dll@0x4182 1 AB85171A.x86.dll@0x4182 1 AB166B58.x86.dll@0x4182 1 AA9419E3.x86.dll@0x4182 1 A781AC0C.x86.dll@0x4182 1 A3D45CDC.x86.dll@0x4182 1 A2252BF7.x86.dll@0xa3 1 A10C50F8.x86.dll@0x4182 1 9F352DA0.x86.dll@0x4182 1 9D6B7CA6.x86.dll@0x4182 1 9B0DF960.x86.dll@0x4182 1 97ED9C7A.x86.dll@0x4182 1 963313F8.x86.dll@0x4182 1 96236A90.x86.dll@0x4182 1 951631FE.x86.dll@0x4182 1 92EF478A.x86.dll@0x4182 1 91DEE058.x86.dll@0x4182 1 8FA96184.x86.dll@0x4182 1 8DF72BEC.x86.dll@0x4182 1 8BECA7B8.x86.dll@0x4182 1 8B539A3F.x86.dll@0x4182 1 89999BC2.x86.dll@0x4182 1 88EB655E.x86.dll@0x4182 1 88E8EE40.x86.dll@0x4182 1 88B52402.x86.dll@0x4182 1 883A5B34.x86.dll@0x4182 1 855C30BE.x86.dll@0x4182 1 8313BC52.x86.dll@0x4182 1 8309C168.x86.dll@0x4182 1 82B17A44.x86.dll@0x4182 1 80C22B97.x86.dll@0x4182 1 7D7504D0.x86.dll@0x4182 1 7AC0B7CA.x86.dll@0x4182 1 78096C26.x86.dll@0x4182 1 779FF69A.x86.dll@0x4182 1 768CC8C2.x86.dll@0x2f64 1 76459066.x86.dll@0x4182 1 763ED346.x86.dll@0x4182 1 758EB076.x86.dll@0x4182 1 71E8BCF6.x86.dll@0x4182 1 709866EC.x86.dll@0x2f64 1 6E60DAF0.x86.dll@0x4182 1 6D5964A8.x86.dll@0x4182 1 6CA5AC28.x86.dll@0x4182 1 69F8D23A.x86.dll@0x4182 1 69CFF01C.x86.dll@0x4182 1 68C177BC.x86.dll@0x4182 1 671B78AC.x86.dll@0x4182 1 6680F128.x86.dll@0x4182 1 659A491E.x86.dll@0x4182 1 642C81BE.x86.dll@0x4182 1 627C86C6.x86.dll@0x4182 1 62585EF2.x86.dll@0x4182 1 5E9C106E.x86.dll@0x4182 1 5E82DDD6.x86.dll@0x4182 1 5DC4E8C2.x86.dll@0x4182 1 57ECCDF2.x86.dll@0x4182 1 54727354.x86.dll@0x4182 1 5169FB40.x86.dll@0x4182 1 515A959D.x86.dll@0x4182 1 50CC2EA0.x86.dll@0x4182 1 4CBB10D0.x86.dll@0x4182 1 47CB9DEC.x86.dll@0x4182 1 46E53D02.x86.dll@0x4182 1 46BBFB46.x86.dll@0x4182 1 46ADAE34.x86.dll@0x2f16 1 46544CE2.x86.dll@0x4182 1 451C1F8E.x86.dll@0x4182 1 44958424.x86.dll@0x4182 1 3F446C86.x86.dll@0x2f16 1 3EFEE4B8.x86.dll@0x2f95 1 3EBDBA8B.x86.dll@0x5ce7 1 3B393653.x86.dll@0x4182 1 3A8817CA.x86.dll@0x4182 1 39D78C1E.x86.dll@0x4182 1 38933F3C.x86.dll@0x4182 1 34F8F202.x86.dll@0x4182 1 3473FC6E.x86.dll@0x41af 1 344A76EE.x86.dll@0x4182 1 343DE178.x86.dll@0x4182 1 3316AEF4.x86.dll@0x4182 1 325B0E12.x86.dll@0x4182 1 2F7CE442.x86.dll@0x4182 1 2D3B6B6E.x86.dll@0x4182 1 2D013310.x86.dll@0x4182 1 2CB89122.x86.dll@0x4182 1 29D16BE8.x86.dll@0x4182 1 28F75A04.x86.dll@0x4182 1 256598B4.x86.dll@0x4182 1 23FE8764.x86.dll@0x4182 1 220D49A8.x86.dll@0x4182 1 1FDE990D.x86.dll@0x4182 1 1F26F960.x86.dll@0x4182 1 1D10A2BA.x86.dll@0x4182 1 1C6EFE3E.x86.dll@0x4182 1 1B534B98.x86.dll@0x4182 1 1909D706.x86.dll@0x4182 1 18431EFC.x86.dll@0x2f64 1 14BBA7F3.x86.dll@0x4182 1 13C9B6BC.x86.dll@0x4182 1 0D973B5C.x86.dll@0x2f16 1 0B72DDE6.x86.dll@0x4182 1 066F3C04.x86.dll@0x4182 1 01078518.x86.dll@0x4182 1 01019DC0.x86.dll@0x4182 I wonder if there might be a way to wild card blocking of all this. need a bit more research on what this .dll does, and if it is indeed using a modified .dll name (but crashing at the same address -> x86.dll@0x4182) to avoid detection by virus checkers.
about a 25%-50% increase in these kind of crashes since the start of sept. instances of x86.dll in 20090901-crashdata.csv 207 instances of x86.dll in 20090902-crashdata.csv 267 instances of x86.dll in 20090903-crashdata.csv 286 instances of x86.dll in 20090904-crashdata.csv 312 instances of x86.dll in 20090905-crashdata.csv 231 instances of x86.dll in 20090906-crashdata.csv 245 instances of x86.dll in 20090907-crashdata.csv 254 instances of x86.dll in 20090908-crashdata.csv 292 instances of x86.dll in 20090909-crashdata.csv 387 instances of x86.dll in 20090910-crashdata.csv 401 instances of x86.dll in 20090911-crashdata.csv 355 instances of x86.dll in 20090912-crashdata.csv 364
google searches for x86.dll indicate that the .dll renames itself after every reboot. http://forums.spybot.info/showthread.php?p=332313 and it might be assoicated with Google search result links being redirected and the Trojan-Spy.Win32.Agent.azpj malware pacakge. http://www.bleepingcomputer.com/forums/lofiversion/index.php/t256746.html Trojan-Spy.Win32.Agent.azpj seems to block anti-virus packages and might also lock up Firefox. http://forums.whatthetech.com/Urgent_Help_needed_Infected_Rootkit_trojan_Troan_Spy_oth_t106906.html
Summary: find better protection against possibble virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against possible Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll]
Keywords: user-doc-needed
back in august we were getting less than 100 of these crashes per day.
new highs for these signatures in the last few days. instances of x86.dll in 20090901-crashdata.csv 207 instances of x86.dll in 20090902-crashdata.csv 267 instances of x86.dll in 20090903-crashdata.csv 286 instances of x86.dll in 20090904-crashdata.csv 312 instances of x86.dll in 20090905-crashdata.csv 231 instances of x86.dll in 20090906-crashdata.csv 245 instances of x86.dll in 20090907-crashdata.csv 254 instances of x86.dll in 20090908-crashdata.csv 292 instances of x86.dll in 20090909-crashdata.csv 387 instances of x86.dll in 20090910-crashdata.csv 401 instances of x86.dll in 20090911-crashdata.csv 355 instances of x86.dll in 20090912-crashdata.csv 364 instances of x86.dll in 20090913-crashdata.csv 377 instances of x86.dll in 20090914-crashdata.csv 427 instances of x86.dll in 20090915-crashdata.csv 186 instances of x86.dll in 20090916-crashdata.csv 116 instances of x86.dll in 20090917-crashdata.csv 252 instances of x86.dll in 20090918-crashdata.csv 436 instances of x86.dll in 20090919-crashdata.csv 499
Summary: find better protection against possible Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll]
ok, here is part of the explaination about the increase. on Sept 15 it appears symantec released a .dll to try and combat *x86.dll vulerabilities, but not that .dll is crashing [and zero crashes for Scxpx86.dll on previous days...] 0 total crashes for Scxpx86.dll@0x46ff9 on 20090912-crashdata.csv 0 total crashes for Scxpx86.dll@0x46ff9 on 20090913-crashdata.csv 0 total crashes for Scxpx86.dll@0x46ff9 on 20090914-crashdata.csv 0 total crashes for Scxpx86.dll@0x46ff9 on 20090915-crashdata.csv 20 total crashes for Scxpx86.dll@0x46ff9 on 20090916-crashdata.csv 26 total crashes for Scxpx86.dll@0x46ff9 on 20090917-crashdata.csv 114 total crashes for Scxpx86.dll@0x46ff9 on 20090918-crashdata.csv 134 total crashes for Scxpx86.dll@0x46ff9 on 20090919-crashdata.csv here is the signature, OS, and Firefox version breakdown for Scxpx86 crashes signature list 134 Scxpx86.dll@0x46ff9 2 Scxpx86.dll@0x1de1d os breakdown 98 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Service Pack 3 16 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Service Pack 2 11 Scxpx86.dll@0x46ff9 Windows NT 6.0.6002 Service Pack 2 6 Scxpx86.dll@0x46ff9 Windows NT 6.0.6001 Service Pack 1 2 Scxpx86.dll@0x46ff9 Windows NT 5.1.2600 Szervizcsomag 3 2 Scxpx86.dll@0x1de1d Windows NT 5.1.2600 Service Pack 3 1 Scxpx86.dll@0x46ff9 Windows NT 6.0.6000 distribution of all versions where the Scxpx86.dll crash was found on 20090919-crashdata.csv 100 Firefox 3.5.3 22 Firefox 3.0.14 7 Firefox 3.5.2 2 Firefox 3.0.8 2 Firefox 3.0.11 1 Firefox 3.5 1 Firefox 3.0.2 1 Firefox 3.0.10 ss/kev, can you point a contact at synmantec at this info or forward contact info and I can?
Severity: normal → critical
getting a product contact for the A/V engine group. will update as soon as I have it.
Blocks: 530074
Scxpx86.dll@0x47629 is ranked #52 on Fx 3.6.3 top crash list. (3334 crash reports in the past two weeks) Counting all branches, there were ~4800 in the past week, in Scxpx86.dll@*
OS: Mac OS X → Windows XP
Summary: find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll] → find better protection against Trojan-Spy.Win32.Agent.azpj virus related crashes [@ *.x86.dll@0x4182 and other addressess in the *.x86.dll][@ Scxpx86.dll@0x47629][@ Scxpx86.dll@0x46ff9][@ Scxpx86.dll@0x46f49]
Version: 3.5 Branch → unspecified
Any reason we can't DLL block at least Scxpx86.dll? It won't likely won't help all the [8-hex-numbers-here].dll crashes that started this bug, but it'll stop 4800 crashes a week...
moving some data over from bug 517203 that better fits here. distribution of *x86dll.dll crashes for yesterday looks like. signature list 789 Scxpx86.dll@0x47629 17 Scxpx86.dll@0x46ff9 6 Scxpx86.dll@0x53797 6 Scxpx86.dll@0x46f49 4 70E274C8.x86.dll@0x2ae9 2 Scxpx86.dll@0x5e011 2 Scxpx86.dll@0x3ef42 1 memcpy | @0xe62366 | @0xe62775 | CE5A7A00.x86.dll@0x28a3 1 Scxpx86.dll@0x6f1fd 1 Scxpx86.dll@0x1b307 1 Scxpx86.dll@0x12450 1 Scxpx86.dll@0x11181 1 897CB85C.x86.dll@0x2f64 1 054266B9.x86.dll@0x4182
Any reason we can't block list Scxpx86.dll?
we could, but in theory these libraries can change their names when they start getting blocked. It's actually better to crash and tell people they need antivirus or to seal the process against third parties.
Crash Signature: [@ Scxpx86.dll@0x46f49] [@ Scxpx86.dll@0x46ff9] [@ Scxpx86.dll@0x47629] [@ Scxpx86.dll@0x4182]
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: