Closed Bug 556896 Opened 10 years ago Closed 3 years ago
crashes from possible backdoor subseven malware [@ msr9ricw
.dll@0x6b5] and other [@ msr[random _characters].dll ]
from within the query below a number of msr[random_characters].dll signatures show up. http://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&date=&range_value=4&range_unit=weeks&query_search=signature&query_type=startswith&query=msr&build_id=&process_type=all&do_query=1 4 msr9ricw.dll@0x6b57 5 msrykaa3.dll@0x6d3b 6 msrating.dll@0x5143 7 msrminzp.dll@0x6d04 8 msr7jjyh.dll@0x10700 9 msran.dll@0x139b 10 msrccffa.dll@0x6cac 11 msr33dex.dll@0x6aa9 12 msrating.dll@0x1c4a7 13 msrkvps5.dll@0x6d39 14 msrcomCMP.dll@0x65af 15 msrt6y8u.dll@0x1ef39 16 msrcjjm5.dll@0xad26 these are possible connected to some variation of msr.exe, the backdoor sub7, and midgare trojans and families of malware. I haven't found any direct contection or association between msr.exe and msr[random_characters].dll so there may be none, or it may be some new form of the malware. a crash report with similar .dll name in the module list msr9had6.dll is under investigation for taking down socorro processors in bugs 556690 and 556679 other references http://support.microsoft.com/kb/319813 http://www.all-internet-security.com/subseven_trojan.html http://www.freespycheck.com/malware-removal/remove-trojan-win32-midgare-vmm.html http://www.computing.net/answers/windows-2000/file-msrexe/57914.html http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmsr.html
this crashes might be viewable when bug 556888 gets fixed. msr9ricw.dll@0x6b57 http://crash-stats.mozilla.com/report/index/7a141ea8-5adc-41ca-af67-662cc2100401 msrkvps5.dll@0x6d39 http://crash-stats.mozilla.com/report/index/7fdebafb-1889-4416-847e-224242100401 msrminzp.dll@0x6d04 http://crash-stats.mozilla.com/report/index/8f4a53cb-8205-4a3b-b696-9fa912100401
actually, they probably won't, sorry to have lead you astray a few minutes ago. It is likely that processor failed to write these datafiles because of the character encoding problem. The character encoding problem is fixed in 1.6, but push of that version to production is delayed, for more quality testing. Only reprocessing these crashes after 1.6 would regenerate those jsonz files. It is conceivable that I could backport a patch to the current processor, but you still wouldn't be able to view the results in the UI until bug 556888 is resolved.
ok. we can watch for more details in future reports after 1.6 is deployed. volume is still extremely low on these over the last month. date crashes at msr......dll 20100301 0 20100305 1 20100306 2 20100311 2 20100317 2 20100320 1 20100323 1 20100325 1 20100326 1 20100330 1 20100331 3 20100401 3 The 6 reports from the last couple of days are all Windows NT5.1.2600 Service Pack 3, and all appear to be startup crashes with a few seconds of startup according the .csv files. And the are coming from a variety of firefox releases 2 3.5.8 1 3.5.4 1 3.6 2 3.6.2
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) [except some obsolete <39 versions, no crashes starting since 39 version].
Status: NEW → RESOLVED
Crash Signature: [@ msr9ricw.dll@0x6b5]
Closed: 3 years ago
Resolution: --- → WORKSFORME
3 years ago
Crash Signature: [@ msr9ricw.dll@0x6b5] → [@ msr9ricw.dll@0x6b5] [@ msr9ricw.dll@0x6b57] [@ msrykaa3.dll@0x6d3b] [@ msrating.dll@0x5143] [@ msrminzp.dll@0x6d04] [@ msr7jjyh.dll@0x10700] [@ msran.dll@0x139b] [@ msrccffa.dll@0x6cac] [@ msr33dex.dll@0x6aa9] [@ msrating.dll@0x1c4a7] [@ msrk…
You need to log in before you can comment on or make changes to this bug.