555855 - Firefox started during restart of windows xp from hibernation the virus "rundll32.exe" in temp-folder

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[bege10]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 (.NET CLR 3.5.30729)

While the system was restarting from hibernation, Firefox started the file rundll32.exe from a subfolder of the current user temp-folder: 

11:09:19 [EXECUTION] "c:\dokumente und einstellungen\bege\lokale einstellungen\temp\b3d.tmp\rundll32.exe" was allowed to run
         [EXECUTION] Started by "c:\programme\mozilla firefox\firefox.exe" [4212]
         [EXECUTION] Commandline - [ "c:\dokume~1\bege\lokale~1\temp\b3d.tmp\rundll32.exe" ]

This file turned out to be a virus (avast antivirus, re-checked online via jotti malware scan).

I cannot say where this file came from. It doesn't appear in the protocol of the session which has been hibernated before.

Does anybody have a clue what has happened there?

Reproducible: Always




If this is a problem of Firefox it is critical, although the program itself didn't show any problems.

Comment 1

[Noah (NoahSUMO/SolidSnake) [:Noah]]

Did you save a copy of the virus? Might be a good idea to attach it here in case someone wants to reproduce the exploit in a controlled environment.

Comment 2

[bege10]

Attachment: CAUTION!!! INFECTED FILE!!!

Results of Jotti's Malwarescanner
avast: Win32:Rootkit-gen
G-DATA: Win32:Rootkit-gen
AVG: Generic17.AHJI
AntiVir: TR/Agent.540672.5
NOD32: Win32/Agent.QQJ

Comment 3

[Paul White]

I apologize in advance for posting a comment which doesn't provide any useful information, however I wanted to mention this since it's been a few months since any update.

In the past two weeks, I've had my computer infected by this virus/malware as well as one other four different times running the 3.6.x beta version of Firefox.  The reason for the apology is because so far I've been lazy and haven't done a thing to actually try to determine any useful information about the problem, until today where I started with a web search and ended up here.  

One thing I am personally sure of is that the malware/virus was invisibly installed while browsing different types of search results within the beta version of Firefox.  

I am very security conscious as I have worked in the network security sector as a software developer for the past 6 years, and I use virtual machines for all actual opening of non-media files I've downloaded.  As it just so happens, the different types of searching I was performing when this happened three of the times was one of the following:

-> Searching for a rapidshare link for some music album, specifically on http://www.rapidlibrary.com/
-> Searching for a rapidshare link for some music album as a global Google search
-> Searching for a given movie or album on one of three Torrent search engines: http://www.btjunkie.org/, http://www.thepiratebay.org/, or http://www.torrent-reactor.net/.  

It was the fourth (so far the last) time I was suddenly infected that I had a process explorer window open on my second monitor and could directly correlate it with something I was doing at the time.

I happened to be searching for an album on http://www.btjunkie.com/, and was in somewhat of a hurry when clicking through the results to read the comments.  On the first one I decided to grab, being in a hurry, I happened to click on the very-misleading AD at the top of the torrent details page (AD's are provided by adbrite) looked similar to BT Junkie's download torrent image.  

While being redirected to some blinx ad page, I watched the process start itself up and register a few new start-up entries.  It also goes and disables the viewing of hidden files, the ability to change folder options in explorer, and to top it off, the ability to run regedit.  Wrote a vbscript to get around that and removed the thing off my computer, however that's when I realized that it had gone in and manually configured a localhost proxy address within Firefox and Internet Explorer (separate configuration; told Firefox to use it's own proxy config).  Oh by the way, I'm running Windows Vista so it was unable to modify any non-user files.  

The next chance I got, I attempted to reproduce the problem but did not see that ad pop-up again.  The more I think about it, the more I do believe I made that same stupid mistake of clicking on an ad instead of the proper "Download Torrent" image at least one of the other three times.  The other two were rapidshare searches, however might very well be the same root trigger: Clicking on an unknown link.

Since I'm pretty convinced this is a real security issue with either Firefox or one of the plugins I use, I will dedicate some serious time into trying to reproduce this while watching every aspect of the system and apps as possible so I can provide you with as much details and help as possible.

Sorry for the long comment.  Very bad habit of mine.  I kept telling myself to KISS (Keep It Simple, Stupid!) but it just refused to stay short! :-)

Thanks for listening to (reading?) my ramblings...  Will post back once I figure out how to reproduce and have more details.

Comment 4

[Wayne Mery (:wsmwk)]

(In reply to Paul White from comment #3)
> Thanks for listening to (reading?) my ramblings...  Will post back once I
> figure out how to reproduce and have more details.

can you still reproduce?

Comment 5

[KLB]

Closing based on date of last comment and lack of response to request for info. If more info provided bug can be reopened.