The malware harvests web passwords and logins which it forwards to a domain in Russia.
It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.
It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials.
List here.
When it runs on a PC, it registers itself in Firefox’s system files as “Greasemonkey,” a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.
Jeremy Kirk (IDG News Service) report: NetWorkWorld
{ 0 comments… add one now }