Interesting and frustrating Firefox Virus found...

Message boards : Cafe SETI : Interesting and frustrating Firefox Virus found...
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile TimeLord04
Volunteer tester
Avatar

Send message
Joined: 11 Dec 06
Posts: 1980
Credit: 408,369
RAC: 0
United States
Message 15841 - Posted: 10 Mar 2007, 2:50:47 UTC
Last modified: 10 Mar 2007, 2:51:46 UTC

@ All Firefox users,

One or more "Add-ons" linked up at the Firefox Site is infected. I haven't nailed down which Add-on got me, (maybe several), but as I did a "bulk" Add-on session, (stupid me), now I have to track down which one of them installed "VB.AUG" onto Intrepid and Andromeda. (Two of my non-crunching machines.) According to my AVG Antivirus scan, (and elimination), this "VB.AUG" was installed today, and is defined as a "WORM". Unfortunately, Intrepid's Firefox 2.0.0.2 and 1.5 Versions are now totally hosed...

AVG completely isolated then deleted my Firefox 1.5 and the installer; then zapped the bugger at two other Firefox 2.0.0.2 file locations on Intrepid. I still can't get Firefox to run at this point... Andromeda is not yet that badly hosed. So far, the only file found on Andromeda that is infected is an unknown "e04b6noa.exe" file. I hope that means that my Firefox will continue to run on Andromeda. LOL At present, Andromeda is still being scanned. If anyone has any detailed info on "e04b6noa.exe", and if this is the source file of the "VB.AUG" WORM, please let me know which of the Add-ons did this. Let's get the word out to prevent this from happening to anyone else.

As mentioned, Intrepid is hosed; pertaining specifically to Firefox. I've uninstalled it, ran Regedit to delete all Firefox entries, ran AVG a second time, but to no avail... Firefox refuses to launch after reinstalling. So, my belief is that while AVG is preventing the VB.AUG WORM from spreading anywhere else, the dang thing is living in Memory and caching itself out to the HD on reboots... I can't get Firefox to work anymore. Maybe that's the point of this thing... Maybe someone wants to give Firefox a bad name and reputation... Let's stop that dead in its tracks!!!

<EDIT: >

Found two more files on Andromeda; both from my Firefox 1.5.0... The dang WORM corrupted the Firefox 1.5 Installer and left a file in "Mozilla Cache and Trash" called "9FFF32D8d01". AVG is scrubbing Andromeda free of this thing as we speak... So far, Firefox 2.0.0.2 is still functioning; however, I haven't closed it out yet to try to relaunch it... Intrepid still is Firefox frozen... I did find that my old install of Mozilla 1.7.8 still works on Intrepid.

Let's nail the bugger that created this VB.AUG WORM!!!

<EDIT. >


Thanks,


TimeLord04
Have TARDIS, will travel...
Come along K-9!
Join Calm Chaos
ID: 15841 · Report as offensive
Misfit
Volunteer tester
Avatar

Send message
Joined: 15 Jun 05
Posts: 3400
Credit: 1,026,406
RAC: 0
United States
Message 15844 - Posted: 10 Mar 2007, 3:11:42 UTC - in response to Message 15841.  

Before rebooting clear out your prefetch. When you reboot and scrub make sure you reboot in safe mode.

me@rescam.org
ID: 15844 · Report as offensive
James L. Neill
Volunteer tester

Send message
Joined: 24 Feb 07
Posts: 34
Credit: 122,893
RAC: 0
United Kingdom
Message 15930 - Posted: 11 Mar 2007, 12:18:46 UTC - in response to Message 15841.  
Last modified: 11 Mar 2007, 12:20:24 UTC

Greetings Timelord04

It would be very useful if we could find out more info including what the worm does. Any chance of this?

Thanks

James

OOps! I tried Symantec and AVG without much success.
ID: 15930 · Report as offensive
Profile TimeLord04
Volunteer tester
Avatar

Send message
Joined: 11 Dec 06
Posts: 1980
Credit: 408,369
RAC: 0
United States
Message 15936 - Posted: 11 Mar 2007, 17:28:11 UTC - in response to Message 15930.  
Last modified: 11 Mar 2007, 17:30:49 UTC

Greetings Timelord04

It would be very useful if we could find out more info including what the worm does. Any chance of this?

Thanks

James

OOps! I tried Symantec and AVG without much success.



hmmm... AVG is what told me on both computers that the virus is "VB.AUG". Oh, and I did manage to save Andromeda! Firefox 2.0.0.2 is working, and the virus/WORM is gone. Intrepid; however, is still Firefox challenged... I have resorted to setting Mozilla 1.7.8 as my default browser on Intrepid until I can get Firefox restored. <sigh>

As for what the WORM does; right now, I have no clue... It could just be some hacker whom supports IE and has created a Firefox destroying virus; or, it could have just been random bad luck that Firefox was what got hosed on Intrepid... I'm just not sure, at the moment. I was hoping that someone else here had some additional info on "VB.AUG".

I spent yesterday and the day before updating all my systems, (antiques), due to the modified Daylight Savings Time situation(s). I just happened to be an unlucky ba****d who got hit with this thing.


<EDIT: >

One more thing to note, Andromeda and Intrepid were clean prior to my updates the other day. In fact, they had been totally turned off and were unused for months until the mention of the new DST change(s). So, I know for fact that the virus/WORM hit for the first time on these machines the other day.

</EDIT. >


Sincerely,


TimeLord04
Have TARDIS, will travel...
Come along K-9!
Join Calm Chaos
ID: 15936 · Report as offensive
littlegreenmanfrommars
Volunteer tester
Avatar

Send message
Joined: 18 Nov 06
Posts: 86
Credit: 50,541
RAC: 0
Australia
Message 16813 - Posted: 22 Mar 2007, 7:17:17 UTC

Hi TL
I haven't been in the cafe for a while, so was intrigued to read your post...
Some points I thought I might add...

The VB.AUG may have a time/date related infection. Like a time bomb, it may have been programmed to go off at, before or after a given date/time, or even when a given application is started, or some other system event.

Therefore, it doesn't automatically follow that the add-ons were responsible.
The problem with being unable to use firefox after cleaning may be due to AVG actually locking the browser out, rather than the infection.

I've been told the "Professional" version of AVG is excellent, but if you are using the free version, I would be sceptical of it's capabilities. I bas this on an occasion when I found a mass infection of MYDOOM on a friend's computer, 18 months after MYDOOM had disappeared from the net!!!!! My friend had been using AVG for some time.

After all that, have you sorted the problem by now?? I hope you have. What did you have to do to correct things?
ID: 16813 · Report as offensive
Profile keyboards
Volunteer tester
Avatar

Send message
Joined: 11 Feb 06
Posts: 309
Credit: 4,022,545
RAC: 0
United States
Message 16960 - Posted: 23 Mar 2007, 19:20:56 UTC

TL -

According to This Forum on CNET, the worm detection by AVG is probably a false positive.

Don't know if that helps or not, but thought I'd pass it on.
!!Stupidity should be PAINFUL!!
ID: 16960 · Report as offensive
Profile TimeLord04
Volunteer tester
Avatar

Send message
Joined: 11 Dec 06
Posts: 1980
Credit: 408,369
RAC: 0
United States
Message 17090 - Posted: 25 Mar 2007, 15:44:49 UTC

Thanks for the information LGM and Keyboards. Yes, I too found the news that it is most likely a "false positive" by AVG. Newer "Updates" from AVG now report the originally claimed "Firefox 1.5.x and installer infection" by the alleged "VB.AUG" Worm as "clean". However; even after "restoring" the files, (following a scan and report of the files being clean), Firefox 1.5 and 2.0.x still refuse to function.

Upon attempting to launch Firefox, (any flavor), I get an hourglass at the mouse pointer for a short period of time and then nothing... No browser... However; in Task Manager, under "Processes", clearly the "firefox.exe" is there and running. This really has me stumped. I have uninstalled, reg-edited, manually deleted files and folders of the old Firefox installs; then, clean installed Firefox 2.0.x flavors, and still no joy. Firefox no longer runs on Intrepid. 8-(

Yet, the old Mozilla 1.7.8 functions without a hitch; so, now that has been made the default browser on Intrepid. All my other machines, (including Andromeda that also reported the alleged infection by AVG), still have Firefox 2.0.x functioning without problems of any kind.

The only difference on Intrepid is that she is an Intel Processor; all my other machines are various AMD Processors... Is this now a limitation caused by the "false positive" of AVG in combination with an Intel Chip??? I have no clue here... Firefox should run, (especially after a clean install of 2.0.x), yet it doesn't. 8-(


TimeLord04
Have TARDIS, will travel...
Come along K-9!
Join Calm Chaos
ID: 17090 · Report as offensive
littlegreenmanfrommars
Volunteer tester
Avatar

Send message
Joined: 18 Nov 06
Posts: 86
Credit: 50,541
RAC: 0
Australia
Message 17193 - Posted: 27 Mar 2007, 7:44:44 UTC

Hi TL

Looks like Intrepid is in a bit of a pickle!

Many antivirus programs produce "false positives". Some deliberately so, others not.

Some software producers and other organisations have an interest in removing certain kinds of software from use. (e.g. Peer-to-Peer apps, such as the old Morpheus, Kazaa, etc) Many antivirus (AV) programs will detect these, and declare them as trojans, worms, etc, in order to scare the user into deleting them. They hope this way, they will reduce the amount of piracy of software and other copyrighted material.

The next possible cause of false positives is "heuristics", which is a system used by AV apps to detect unknown "Malware". It uses the principle: "If it behaves like a virus, then it IS a virus!" Setting this to high results in a paranoid AV app!

Hazarding a guess, I'd say your AVG has done the latter, and has possibly written or deleted settings in Intrepid's registry that prevents Firefox from installing/running correctly. I doubt most registry repair apps would be able to right this.

If you are running Windows XP or (shudder) Me, you may be able to use the system restore facility to return your system to a day or two before AVG clobbered Firefox. I would suggest disabling AVG before you do this, as system restore may also return AVG to the state where it will clobber Firefox again!

If you can re-enable Firefox this way, try running it with AVG switched off, then update Firefox, if necessary, then update AVG. Then re-enable AVG and try that.

If all else fails, an XP installation can often be repaired without reformatting your HDD. You will need the original installation CD, and possibly a Windows recovery Floppy disk. (Try Googling for one, if you don't feel confident of making one yourself.)

On the other hand, at least you still have a working browser!

Oh... another option can be to use the Add or remove programs function in Control Panel to Repair Firefox. Not always successful, as Microsoft automatically blames Firefox for everything, and may not wish to do the job, but hey! You have little to lose!

Good luck, mate!
ID: 17193 · Report as offensive
Profile Stealth Eagle*
Volunteer tester
Avatar

Send message
Joined: 12 Feb 06
Posts: 1755
Credit: 47,656
RAC: 0
United States
Message 17313 - Posted: 29 Mar 2007, 1:26:05 UTC - in response to Message 15841.  
Last modified: 29 Mar 2007, 1:42:48 UTC

Timelord

Go to Norton's web site, and on their security page they have an online virus scanner that is VERY good. Run the scan and it should tell you what you have and don't have on your system. Sometimes they also have special removal tools that you can download that will get rid of specific problems.

Good luck,

RK

btw. UOTD 03/28/07 ;-D

<Edit:>

I tried AVG for a while and found that it would not clean my computer of the crap that I had gotten, and it was reporting things that when I scanned with my Norton were Not there. So I dumped it and went back to Norton, which I have found to be the best of them out there, as long as you keep the defs. updated. This is after over fifteen years of use. If you email me @ rkinkead at charter dot net, I will give you some examples of why I say this.

<Edit:>

[b]@ All Firefox users,

One or more "Add-ons" linked up at the Firefox Site is infected. I haven't nailed down which Add-on got me, (maybe several), but as I did a "bulk" Add-on session, (stupid me), now I have to track down which one of them installed "VB.AUG" onto Intrepid and Andromeda. (Two of my non-crunching machines.) According to my AVG Antivirus scan, (and elimination), this "VB.AUG" was installed today, and is defined as a "WORM". Unfortunately, Intrepid's Firefox 2.0.0.2 and 1.5 Versions are now totally hosed...

AVG completely isolated then deleted my Firefox 1.5 and the installer; then zapped the bugger at two other Firefox 2.0.0.2 file locations on Intrepid. I still can't get Firefox to run at this point... Andromeda is not yet that badly hosed. So far, the only file found on Andromeda that is infected is an unknown "e04b6noa.exe" file. I hope that means that my Firefox will continue to run on Andromeda. LOL At present, Andromeda is still being scanned. If anyone has any detailed info on "e04b6noa.exe", and if this is the source file of the "VB.AUG" WORM, please let me know which of the Add-ons did this. Let's get the word out to prevent this from happening to anyone else.

As mentioned, Intrepid is hosed; pertaining specifically to Firefox. I've uninstalled it, ran Regedit to delete all Firefox entries, ran AVG a second time, but to no avail... Firefox refuses to launch after reinstalling. So, my belief is that while AVG is preventing the VB.AUG WORM from spreading anywhere else, the dang thing is living in Memory and caching itself out to the HD on reboots... I can't get Firefox to work anymore. Maybe that's the point of this thing... Maybe someone wants to give Firefox a bad name and reputation... Let's stop that dead in its tracks!!!

<EDIT: >

Found two more files on Andromeda; both from my Firefox 1.5.0... The dang WORM corrupted the Firefox 1.5 Installer and left a file in "Mozilla Cache and Trash" called "9FFF32D8d01". AVG is scrubbing Andromeda free of this thing as we speak... So far, Firefox 2.0.0.2 is still functioning; however, I haven't closed it out yet to try to relaunch it... Intrepid still is Firefox frozen... I did find that my old install of Mozilla 1.7.8 still works on Intrepid.

Let's nail the bugger that created this VB.AUG WORM!!!

<EDIT. >


Thanks,




What you do today you will have to live with tonight
ID: 17313 · Report as offensive
Profile Red Atomic
Volunteer tester
Avatar

Send message
Joined: 2 Feb 07
Posts: 259
Credit: 45,061
RAC: 0
Australia
Message 17316 - Posted: 29 Mar 2007, 1:38:42 UTC

Congratulations Robert, UOTD. Have a great day.

Red Atomic
The older I get, the better I was.
ID: 17316 · Report as offensive
Profile Stealth Eagle*
Volunteer tester
Avatar

Send message
Joined: 12 Feb 06
Posts: 1755
Credit: 47,656
RAC: 0
United States
Message 17350 - Posted: 29 Mar 2007, 6:20:30 UTC - in response to Message 17316.  

Congratulations Robert, UOTD. Have a great day.


Thanks. :)

What you do today you will have to live with tonight
ID: 17350 · Report as offensive

Message boards : Cafe SETI : Interesting and frustrating Firefox Virus found...


 
©2021 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.