Latest in trend:

» viruses

Generic.dx!707DA3A8

What is Generic.dx!707DA3A8?

How does it affect your PC?

How to remove Generic.dx!707DA3A8?

 

What is Generic.dx!707DA3A8?

Discovered on the 4th of December 2008, Generic.dx!707DA3A8 is a Trojan, mainly a password stealer, with size of 22,016 bytes. This malware attempts to obtain password information when users browse to certain Web sites by disguising itself as a Firefox plugin.

Aliases

Trojan.PWS.ChromeInject.B (BitDefender) (discovered on 2008 Nov 28)

Characteristics

These are general defaults for typical path variables. (Although they may differ, these examples are common.):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)

%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

%ProgramFiles% = \Program Files

The following files have been added to the system:

%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll

%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js

%Program Files%\Mozilla Firefox\chrome\chrome\content\browser.xul

Back to top

How does it affect your PC?

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.

Generic.dx!707DA3A8 is typically downloaded onto Windows PCs already compromised by other strains of malware. Once installed, the Trojan sits in Firefox's Plugin folder, activating every time the popular browser is started. The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US.

Once executed, this malware attempts to obtain credentials when an affected host browses to one of the following sites:

53.com	caixasabadell.net	lloydstsb.co.uk
caixamanlleu.es	caja*.es	my.if.com
caixa*.es	carifvg.com	mybankoffshore.alil.co.im
bv-i.bancodevalencia.es	cariparma.it	mybusinessbank.co.uk
boq.com.au	carisbo.it	nationet.com
bgnetplus.com	carnet.cajarioja.es	natwestibanking.com
bcp.it	caterallenonline.co.uk	net.kutxa.net
bbvanetoffice.com	ccm.es	online.co.uk
barclays.com	chase.com	online.hbs.net.au
banquepopulaire.fr	citizensbankonline.com	onlinebanking.nationalcity.com
banksa.com	clavenet.net	openbank.es
bankofamerica	co-operativebank.co.uk	paypal.com
bankoa.es	co-operativebankonline.co.uk	pncs.com.au
banking.first-direct.com	credem.it	popso.it
banking.*.de	csebanking.it	poste.it
banesto.es	e-gold.com	procreditbank.bg
bancopopular.es	elmonte.es	quiubi.it
bancopastor.es	fibancmediolanum.es	sabadellatlantico.com
bancoherrero.com	fineco.it	schwab.com
bancogallego.es	fmbcc.bcc.it	secservizi.it
bancamediolanum.it	gbw2.it	smile.co.uk
bancamarch.es	gruposantander.es	suncorpmetway.com.au
bancajaproximaempresas.com	gruppocarige.it	suntrust.com
bancaintesa.it	gruppocarige.it/grps/vbank/jsp/login.jsp	tdcanadatrust.com
bancagenerali.it	halifax-online.co.uk	unibanking.it
bancaeuro.it	hsbc.co	unipolbanca.it
banca.cajaen.es	ibank.cahoot.com	uno-e.com
arquia.es	ibercajadirecto.com	usbank.com
areasegura.banif.es	in-biz.it	wachovia.com
areasegura.banif.es	intelvia.cajamurcia.es	wamu.com
anz.com	isideonline.it	wellsfargo.com
anbusiness.com	islamic-bank.com	westpac.com.au
akbank.com,	itibank.co.uk	www.qccu.com.au
adelaidebank.com.au	iwbank.it
abbeynational.co.uk	kfhonline.com

Harvested login credentials are captured and subsequently posted to a server located in Russia.

Back to top

How to remove Generic.dx!707DA3A8?

Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Back to top

© 2008 System-Protector.com All Rights Reserved.