Closed Bug 556896 Opened 10 years ago Closed 3 years ago

crashes from possible backdoor subseven malware [@ msr9ricw.dll@0x6b5] and other [@ msr[random_characters].dll ]

Categories

(Firefox :: General, defect)

3.5 Branch
x86
Windows XP
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

from within the query  below a number of msr[random_characters].dll signatures show up.

http://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&date=&range_value=4&range_unit=weeks&query_search=signature&query_type=startswith&query=msr&build_id=&process_type=all&do_query=1

4  	msr9ricw.dll@0x6b57  	
5 	msrykaa3.dll@0x6d3b 		
6 	msrating.dll@0x5143 		
7 	msrminzp.dll@0x6d04 		
8 	msr7jjyh.dll@0x10700 		
9 	msran.dll@0x139b 	 	
10 	msrccffa.dll@0x6cac 	
11 	msr33dex.dll@0x6aa9 		
12 	msrating.dll@0x1c4a7 	
13 	msrkvps5.dll@0x6d39 	
14 	msrcomCMP.dll@0x65af 		
15 	msrt6y8u.dll@0x1ef39 		
16 	msrcjjm5.dll@0xad26

these are possible connected to some variation of msr.exe, the backdoor sub7, and midgare trojans and families of malware.  I haven't found any direct contection or association between msr.exe and msr[random_characters].dll so there may be none, or it may be some new form of the malware.
 
a crash report with similar .dll name in the module list msr9had6.dll
is under investigation for taking down socorro processors in bugs  556690 and 556679 

other references
http://support.microsoft.com/kb/319813
http://www.all-internet-security.com/subseven_trojan.html
 http://www.freespycheck.com/malware-removal/remove-trojan-win32-midgare-vmm.html
http://www.computing.net/answers/windows-2000/file-msrexe/57914.html
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmsr.html
actually, they probably won't, sorry to have lead you astray a few minutes ago.  It is likely that processor failed to write these datafiles because of the character encoding problem.  The character encoding problem is fixed in 1.6, but push of that version to production is delayed, for more quality testing.  Only reprocessing these crashes after 1.6 would regenerate those jsonz files.

It is conceivable that I could backport a patch to the current processor, but you still wouldn't be able to view the results in the UI until bug 556888 is resolved.
ok. we can watch for more details in future reports after 1.6 is deployed.  volume is still extremely low on these over the last month.

date     crashes at
         msr......dll
20100301 0

20100305 1
20100306 2

20100311 2

20100317 2

20100320 1

20100323 1

20100325 1
20100326 1

20100330 1
20100331 3
20100401 3

The 6 reports from the last couple of days are all
Windows NT5.1.2600 Service Pack 3, and all appear to be startup crashes with a few seconds of startup according the .csv files.

And the are coming from a variety of firefox releases
   2 3.5.8
   1 3.5.4
   1 3.6
   2 3.6.2
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) [except some obsolete <39 versions, no crashes 

starting since 39 version].
Status: NEW → RESOLVED
Crash Signature: [@ msr9ricw.dll@0x6b5]
Closed: 3 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ msr9ricw.dll@0x6b5] → [@ msr9ricw.dll@0x6b5] [@ msr9ricw.dll@0x6b57] [@ msrykaa3.dll@0x6d3b] [@ msrating.dll@0x5143] [@ msrminzp.dll@0x6d04] [@ msr7jjyh.dll@0x10700] [@ msran.dll@0x139b] [@ msrccffa.dll@0x6cac] [@ msr33dex.dll@0x6aa9] [@ msrating.dll@0x1c4a7] [@ msrk…
You need to log in before you can comment on or make changes to this bug.