Trojan Hides Itself as Firefox Extension

Security firm McAfee warned of a new trojan that installs itself as a Firefox extension on Tuesday, saying it had found Web sites linking to a virus known as FormSpy. Once loaded on the infected computer, the trojan begins sending personal information entered in the Web browser to a malicious site.

"This information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers" and other sensitive information, McAfee warned. The firm said the application is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.


The issue is considered "low-risk," and those with current DAT files would not be susceptible to infection. The trojan requires another piece of malware, called "Downloader-AXM" to work, and McAfee has already added protection against that virus. However, McAfee says it does continue to circulate in the wild.

Web sites have been discovered linking to the Trojan which is hosted at the IP address 81.95.xx.xx. It is installed using an exploit for Internet Explorer known as VBS/Psyme. The exploit is detectable through Internet Explorer with VirusScan enabled, and the FormSpy Trojan is detectable through the latest DAT file.

"AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination," McAfee said.

87 Responses to Trojan Hides Itself as Firefox Extension

© 1998-2022 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.