User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.772.0 Safari/535.1 Build Identifier: 3.6.17 When accessing the mentioned URL, a malware virus automatically executes. It leaves a 0.xxxx.exe (where x are random numbers) in the Firefox main folder, and changes a lot of Windows setting to make it very hard to remove. It instantly executes itself displaying a blue windows with foreign chars (undisplayabled in my computer) that won't let you move your mouse away from it. After a big cleaning, I was able to reproduce it using a sandbox, and I notice after loading the page, the plugin-container.exe will execute, then the java plugin and the flash plugin, the the 0.xxx executable, and the of course the virus will take control. Reproducible: Always Steps to Reproduce: 1. Open Firefox 3.6.17 2. Go to http://crimelend.ru/jobsearch 3. wait a few seconds Actual Results: The virus will execute and take control of the machine. Please test it inside a sandbox. Expected Results: Not allow a virus to execute without even clicking on anything! All my information from my firefox intallation in case there is any plugin affecting this problem: Configuración básica de la aplicación Nombre Firefox Versión 3.6.17 Directorio de perfil Abrir la carpeta que lo contiene Plugins instalados about:plugins Configuración de compilación about:buildconfig Extensiones Nombre Versión Activada ID British English Dictionary 1.19.1 true en-GB@dictionaries.addons.mozilla.org Diccionario de Español/España 1.3.1 true es-es@dictionaries.addons.mozilla.org FlashGot 1.2.8.5 true {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} Free Download Manager plugin 1.3.1 false fdm_ffext@freedownloadmanager.org Google Web Toolkit Developer Plugin for Firefox 1.0.9863 true gwt-dev-plugin@google.com Java Console 6.0.15 true {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} LogMeIn, Inc. Remote Access Plugin 1.0.0.406 false LogMeInClient@logmein.com Microsoft .NET Framework Assistant 1.2.1 true {20a82645-c095-46ed-80e3-08825760534b} NoScript 2.1.0.1 false {73a6fe31-595d-460b-a920-fcc0f8843232} Skype extension for Firefox 2.2.0.102 true {B13721C7-F507-4982-B2E5-502A71474FED} Firebug 1.6.2 true firebug@software.joehewitt.com Java Console 5.0.12 true {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} Preferencias modificadas Nombre Valor accessibility.typeaheadfind.flashBar 0 browser.history_expire_days.mirror 180 browser.places.importBookmarksHTML false browser.places.importDefaults false browser.places.leftPaneFolderId -1 browser.places.migratePostDataAnnotations false browser.places.smartBookmarksVersion 2 browser.places.updateRecentTagsUri false browser.startup.homepage http://www.google.com/ig browser.startup.homepage_override.mstone rv:1.9.2.17 dom.max_script_run_time 1800 extensions.lastAppVersion 3.6.17 general.useragent.extra.microsoftdotnet ( .NET CLR 3.5.30729) network.cookie.prefsMigrated true network.protocol-handler.warn-external.sop false network.protocol-handler.warn-external.tvants false network.protocol-handler.warn-external.tvu false places.last_vacuum 1305256075 print.print_bgcolor false print.print_bgimages false print.print_command print.print_downloadfonts true print.print_evenpages true print.print_in_color true print.print_margin_bottom 0.5 print.print_margin_left 0.5 print.print_margin_right 0.5 print.print_margin_top 0.5 print.print_oddpages true print.print_orientation 0 print.print_pagedelay 500 print.print_paper_data 0 print.print_paper_height 11,00 print.print_paper_size 7536685 print.print_paper_size_type 1 print.print_paper_size_unit 0 print.print_paper_width 8,50 print.print_printer Bullzip PDF Printer print.print_reversed false print.print_scaling 1,00 print.print_shrink_to_fit true print.print_to_file false print.printer_Bullzip_PDF_Printer.print_bgcolor false print.printer_Bullzip_PDF_Printer.print_bgimages false print.printer_Bullzip_PDF_Printer.print_command print.printer_Bullzip_PDF_Printer.print_downloadfonts true print.printer_Bullzip_PDF_Printer.print_evenpages true print.printer_Bullzip_PDF_Printer.print_footercenter print.printer_Bullzip_PDF_Printer.print_footerleft &PT print.printer_Bullzip_PDF_Printer.print_footerright &D print.printer_Bullzip_PDF_Printer.print_headercenter print.printer_Bullzip_PDF_Printer.print_headerleft &T print.printer_Bullzip_PDF_Printer.print_headerright &U print.printer_Bullzip_PDF_Printer.print_in_color true print.printer_Bullzip_PDF_Printer.print_margin_bottom 0.5 print.printer_Bullzip_PDF_Printer.print_margin_left 0.5 print.printer_Bullzip_PDF_Printer.print_margin_right 0.5 print.printer_Bullzip_PDF_Printer.print_margin_top 0.5 print.printer_Bullzip_PDF_Printer.print_oddpages true print.printer_Bullzip_PDF_Printer.print_orientation 1 print.printer_Bullzip_PDF_Printer.print_pagedelay 500 print.printer_Bullzip_PDF_Printer.print_paper_data 1 print.printer_Bullzip_PDF_Printer.print_paper_height 11,00 print.printer_Bullzip_PDF_Printer.print_paper_size 7536685 print.printer_Bullzip_PDF_Printer.print_paper_size_type 0 print.printer_Bullzip_PDF_Printer.print_paper_size_unit 0 print.printer_Bullzip_PDF_Printer.print_paper_width 8,50 print.printer_Bullzip_PDF_Printer.print_reversed false print.printer_Bullzip_PDF_Printer.print_scaling 1,00 print.printer_Bullzip_PDF_Printer.print_shrink_to_fit true print.printer_Bullzip_PDF_Printer.print_to_file false print.printer_Generic_/_Text_Only.print_bgcolor false print.printer_Generic_/_Text_Only.print_bgimages false print.printer_Generic_/_Text_Only.print_command print.printer_Generic_/_Text_Only.print_downloadfonts true print.printer_Generic_/_Text_Only.print_evenpages true print.printer_Generic_/_Text_Only.print_footercenter print.printer_Generic_/_Text_Only.print_footerleft &PT print.printer_Generic_/_Text_Only.print_footerright &D print.printer_Generic_/_Text_Only.print_headercenter print.printer_Generic_/_Text_Only.print_headerleft &T print.printer_Generic_/_Text_Only.print_headerright &U print.printer_Generic_/_Text_Only.print_in_color true print.printer_Generic_/_Text_Only.print_margin_bottom 0.5 print.printer_Generic_/_Text_Only.print_margin_left 0.5 print.printer_Generic_/_Text_Only.print_margin_right 0.5 print.printer_Generic_/_Text_Only.print_margin_top 0.5 print.printer_Generic_/_Text_Only.print_oddpages true print.printer_Generic_/_Text_Only.print_orientation 0 print.printer_Generic_/_Text_Only.print_pagedelay 500 print.printer_Generic_/_Text_Only.print_paper_data 1 print.printer_Generic_/_Text_Only.print_paper_height 11,00 print.printer_Generic_/_Text_Only.print_paper_size 7536685 print.printer_Generic_/_Text_Only.print_paper_size_type 0 print.printer_Generic_/_Text_Only.print_paper_size_unit 0 print.printer_Generic_/_Text_Only.print_paper_width 8,50 print.printer_Generic_/_Text_Only.print_reversed false print.printer_Generic_/_Text_Only.print_scaling 1,00 print.printer_Generic_/_Text_Only.print_shrink_to_fit true print.printer_Generic_/_Text_Only.print_to_file true privacy.sanitize.migrateFx3Prefs true security.warn_viewing_mixed false

That page is a 404 - Not found. I see you have Java Console 5.0.12 in addition to 6.0.15. Please visit http://www.mozilla.com/en-US/plugincheck/ and see if all of your plugins are up to date. The latest Java in 6 update 25 and the latest flash is 10.3.181.14. If either are out of date, they are the likely causes of your infection. Please report back here on the versions of Flash and Java you were using before updating.

Sorry, I made a couple of mistakes. The correct site is http://crimelend.ru/jobseach.htm And the second started plugin was not flash but Acrobat Reader (my flash plugin was the updated 10.3.181.14 btw). My java plugin was 1.6.0.15. I updated it to 1.6.0.25 and when accessing the page, nothing happens now. My acrobat plugin is outdated and it's version 7.0.0. But with just the java plugin update the problem seems to be gone. Does it mean it was a java bug?

Sorry, I made a couple of mistakes. The correct site is http://crimelend.ru/jobseach.htm And the second started plugin was not flash but Acrobat Reader (my flash plugin was the updated 10.3.181.14 btw). My java plugin was 1.6.0.15. I updated it to 1.6.0.25 and when accessing the page, nothing happens now. My acrobat plugin is outdated and it's version 7.0.0. But with just the java plugin update the problem seems to be gone. Does it mean it was a java bug?

quite probably this is just a java based attack although many attack pages include several attacks. I'll marked this invalid and open it up. Be sure to update reader as well since it is a vector for attacks as well.