If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

possible malware crashes in notepad.dll [@ notepad.dll@0x40f7 ] and others

RESOLVED INCOMPLETE

Status

External Software Affecting Firefox
Other
RESOLVED INCOMPLETE
8 years ago
a year ago

People

(Reporter: chris hofmann, Unassigned)

Tracking

(Blocks: 1 bug, {crash, user-doc-needed})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

8 years ago
about 200 crashes per day in possible malware that gets installed in c:\windows\system32\notepad.dll  See: http://www.threatexpert.com/files/notepad.dll.html and other search results for "notepad.dll"


signature list
  96 notepad.dll@0x40f7
  29 notepad.dll@0x3a13
  26 notepad.dll@0x40fa
  14 notepad.dll@0x3a4a
   8 notepad.dll@0x40be
   2 notepad.dll@0x403e
   2 memcmp | notepad.dll@0x1434
   1 notepad.dll@0x3a66

checking --- notepad.dll 20100415-crashdata.csv
found in: 3.6.3 3.5.9 3.6 3.5.7 3.0.14 3.0.9 3.0.19 3.0.16
release total-crashes
              notepad.dll crashes
                         pct.
all     351003  178     0.000507118
3.6.3   242386  143     0.000589968
3.5.9   31706   24      0.000756955
3.6     19351   4       0.000206708
3.5.7   2348    2       0.000851789
3.0.14  288     2       0.00694444
3.0.9   125     1       0.008
3.0.19  10321   1       9.68898e-05
3.0.16  232     1       0.00431034

os breakdown
notepad.dllTotal 176
Win5.1  0.65
Win6.0  0.31
Win6.1  0.04
Mac10.4 0.00
Mac10.5 0.00
Mac10.6 0.00
Lin2.4  0.00

Correlation to startup or time of session
178 total crashes for notepad.dll on 20100415-crashdata.csv
6 start up crashes inside 30 seconds of startup
40 start up crashes inside 3 minutes of startup

domains of sites
  25 http://www.facebook.com
  16 \N//
  12 http://www.youtube.com
  11 http://home.myspace.com
   9 http://apps.facebook.com
   5 https://login.facebook.com
   5 http://www.myspace.com
   5 http://messaging.myspace.com
   4 http://wq32.com
   4 http://viewmorepics.myspace.com
   4 about:blank//
   3 http://friends.myspace.com
   2 http://www.yahoo.com
   2 http://www.yachtcouncil.com
   2 http://www.tuenti.com
   2 http://www.ken-welch.com
   2 http://msn.foxsports.com
<long tail snipped>

stacks look like


http://crash-stats.mozilla.com/report/index/be32c38f-13cf-4fbb-a3e6-b7b682100410

0  	notepad.dll  	notepad.dll@0x40f7  	
1 	notepad.dll 	notepad.dll@0x4172 	
2 	notepad.dll 	notepad.dll@0x4108 	
3 	notepad.dll 	notepad.dll@0x4172 	
4 	notepad.dll 	notepad.dll@0x289c 	
5 		@0x0 	
6 		@0x1648df6f 	
7 	nspr4.dll 	_PR_MD_RECV 	nsprpub/pr/src/md/windows/w95sock.c:327
8 	nspr4.dll 	SocketRead 	nsprpub/pr/src/io/prsocket.c:657
9 	xul.dll 	nsSocketInputStream::Read 	netwerk/base/src/nsSocketTransport2.cpp:353
10 	xul.dll 	nsHttpConnection::OnWriteSegment 	netwerk/protocol/http/src/nsHttpConnection.cpp:632
11 	xul.dll 	nsHttpTransaction::WritePipeSegment 	netwerk/protocol/http/src/nsHttpTransaction.cpp:499
12 	xul.dll 	nsPipeOutputStream::WriteSegments 	xpcom/io/nsPipe3.cpp:1137
13 		@0x93 	
14 	xul.dll 	nsHttpTransaction::WriteSegments 	netwerk/protocol/http/src/nsHttpTransaction.cpp:525
15 	xul.dll 	nsHttpConnection::OnSocketReadable 	netwerk/protocol/http/src/nsHttpConnection.cpp:648
16 	xul.dll 	nsHttpConnection::OnInputStreamReady 	netwerk/protocol/http/src/nsHttpConnection.cpp:762
17 	xul.dll 	nsSocketInputStream::OnSocketReady 	netwerk/base/src/nsSocketTransport2.cpp:256
18 	xul.dll 	nsSocketTransport::OnSocketReady 	netwerk/base/src/nsSocketTransport2.cpp:1519
19 	xul.dll 	nsSocketTransportService::DoPollIteration 	netwerk/base/src/nsSocketTransportService2.cpp:674
20 	xul.dll 	nsSocketTransportService::OnProcessNextEvent 	netwerk/base/src/nsSocketTransportService2.cpp:538
21 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:508
22 	xul.dll 	NS_ProcessPendingEvents_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:200
23 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
24 	xul.dll 	nsSocketTransportService::Run 	netwerk/base/src/nsSocketTransportService2.cpp:581
25 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
26 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
27 	xul.dll 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:254
28 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
29 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
30 	mozcrt19.dll 	_callthreadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:348
31 	mozcrt19.dll 	_threadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:326
32 	kernel32.dll 	BaseThreadStart

more at

http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=notepad.dll@0x40f7 and http://crash-stats.mozilla.com/query/query?product=Firefox&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=startswith&query=notepad.dll&build_id=&process_type=all&do_query=1

only defense might be to instruct users to check and remove.
(Reporter)

Comment 1

8 years ago
looks like it first appeared 12/09/2009

date     crashes at
         notepad.dll
20091201 0
20091202 0
20091203 0
20091204 0
20091205 0
20091206 0
20091207 0
20091208 8
20091209 30
20091210 31
20091211 33
20091212 38
20091213 82
20091214 151
20091215 252
20091216 351
20091217 313
20091218 309
(Assignee)

Updated

6 years ago
Crash Signature: [@ notepad.dll@0x40f7 ]

Comment 2

a year ago
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.