DNS-malware infects Firefox users: http://blog.webroot.com/2009/03/25/new-malware-ruins-firefox/
The first malware here is a DNSChanger malware variant, a browser hijacking tool. Once active the malware will install a DLL fiel to run under components in the Firefox process. Just like DNSChanger it will alter Google search results as those of Yahoo’s and other search-engines and sends the search queries to an Ukrain server.
The second Firefox specific malware only working under Firefox 3.x, is a plugin by the name of PlayMP3z. This plugin uses an extensive EULA that clearly states it is adware. During being installed it tries to install the Mirar toolbar. Who prevents this one from installing will be treated to another piece of adware, by the name of Foxicle. This adware will launch various popups as well as popunder ads. Both malware plugins cannot be traced in the Firefox. “While the spread of it is low at the moment an increase of it is being expected”, according to Brandts.
The researcher comments that the malware does not exploit a security leak or another bug in Firefox, but comes with other malware.
This is the malicious dll inside the components folder in Firefox 3.x: C:\Program Files\Mozilla Firefox\components\iamfamous.dll and that starts running whenever Fx 3.x is launched
I got this trojan; detected it this morning, but now that I know the symptoms I realize it has been running for at least two days.
I’ve cleaned the system using MBAM quick scan and am now doing a deep scan with MBAM.
How did I get this trojan? I am certain I did not install the PlayMP3z plugin. I am running a fully updated Avast! Free (at least, it was fully updated until the trojan got into the system.)
