Trojan.Chromeinject.A

Posted on: December 15th, 2008

Discovered: December 15, 2008
Known As:

Win32/ChromeInject.A1 [Computer Associates]
Type:

Trojan
Systems Affected:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Recommended Action:
NoAdware can remove Trojan.ChromeInject.A. Click the link below for your
free download & scan your PC now.
Technical Details:

When executed, the Trojan searches the compromised computer for the location of the Mozilla Firefox browser and copies itself as the following files:

* %SystemDrive%\[PATH TO FIREFOX]\plugins\npbasic.dll
* %SystemDrive%\[PATH TO FIREFOX]\plugins\npbasic.dll1
* %Temp%\70B.tmp

It then modifies the following files in order to steal information from the compromised computer:

* %SystemDrive%\[PATH TO FIREFOX]\chrome\chrome\content\browser.js
* %SystemDrive%\[PATH TO FIREFOX]\chrome\chrome\content\browser.xul
* %SystemDrive%\[PATH TO FIREFOX]\chrome\browser.manifest

The Trojan attempts to steal sign-in information when the following domains are accessed using Mozilla Firefox:

* 53.com
* abbeynational.co.uk
* adelaidebank.com.au
* akbank.com
* anbusiness.com
* anbusiness.com
* anz.com
* areasegura.banif.es
* arquia.es
* banca.cajaen.es
* bancaeuro.it
* bancagenerali.it
* bancaintesa.it
* bancajaproximaempresas.com
* bancamarch.es
* bancamediolanum.it
* bancogallego.es
* bancoherrero.com
* bancopastor.es
* bancopopular.es
* banesto.es
* banking.*.de
* banking.first-direct.com
* bankoa.es
* bankofamerica
* banksa.com
* banquepopulaire.fr
* barclays.com
* bbvanetoffice.com
* bcp.it
* bgnetplus.com
* boq.com.au
* bv-i.bancodevalencia.es
* caixa*.es
* caixamanlleu.es
* caixasabadell.net
* caja*.es
* carifvg.com
* cariparma.it
* cariparo.it
* carisbo.it
* carnet.cajarioja.es
* caterallenonline.co.uk
* ccm.es
* chase.com
* citizensbankonline.com
* clavenet.net
* co-operativebank.co.uk
* co-operativebankonline.co.uk
* credem.it
* csebanking.it
* e-gold.com
* elmonte.es
* fibancmediolanum.es
* fineco.it
* fmbcc.bcc.it
* gbw2.it
* gruposantander.es
* gruppocarige.it/grps/vbank/jsp/login.jsp
* halifax-online.co.uk
* hsbc.co
* ibank.cahoot.com
* ibercajadirecto.com
* in-biz.it
* intelvia.cajamurcia.es
* isideonline.it
* islamic-bank.com
* itibank.co.uk
* iwbank.it
* kfhonline.com
* lloydstsb.co.uk
* my.if.com
* mybankoffshore.alil.co.im
* mybusinessbank.co.uk
* nationet.com
* natwestibanking.com
* net.kutxa.net
* online.co.uk
* online.hbs.net.au
* onlinebanking.nationalcity.com*’
* openbank.es
* paypal.com
* pncs.com.au
* popso.it
* poste.it
* procreditbank.bg
* quiubi.it
* sabadellatlantico.com
* schwab.com
* secservizi.it
* smile.co.uk
* suncorpmetway.com.au
* suntrust.com
* tdcanadatrust.com
* unibanking.it
* unipolbanca.it
* uno-e.com
* usbank.com
* wachovia.com
* wamu.com
* wellsfargo.com
* westpac.com.au
* www.qccu.com.au

The Trojan then sends the stolen information to one of the following locations:

* [http://]www.yandeeex.ru
* [http://]www.sss.re

Trojan.Chromeinject.A is a Trojan horse that steals information from the compromised computer.
Action Steps:
FREE SCAN: NoAdware can remove Trojan.ChromeInject.A. Click the link below for your free download & scan your PC now.

MANUAL REMOVAL: Please click here for manual removal instructions.

Posted on Monday, December 15th, 2008 at 10:02 am - filed under Blog, Trojan.