mozillaZine posted an article/warning on Thursday, July 27th, in regards to a Trojan Horse Mozilla Firefox Extension. The Trojan Horse, dubbed by McAfee as FormSpy and Sophos as Troj/FireSpy-A is installed by a Windows malware known as Downloader-AXM. This piece of malware is used to download and install various Trojan Horses. For Firefox users, it downloads and silently installs (bypasses the installation warning) a modified version of Numbered Links 0.9 extension. While Numbered Links 0.9 is a legitimate extension the Trojan version will capture and send banking info along with passwords entered in Firefox as well as those for ICQ, IMAP, FTP and POP3 to a remote computer.
So, you ask how does this happen and how does this Downloader-AXM get onto a users computer? The process is quite simple and yet avoidable. The Downloader-AXM is an e-mail attachment contained in an e-mail claiming to be an order confirmation from WalMart.com. When users open the attachment, Downloader-AXM is installed and it then scans the computer for software it can exploit. It also known to take advantage of a 3-year old exploit in IE. When running Firefox FormSpy will install the modified Numbered Links 0.9 extension.
To check for infection, simply review your extensions list via Tools Menu and Extensions (note FF 2.0 users select Add-Ons. If it is in the list and you did NOT install this extension prior chances are your computer is infected. Take a look at McAfee virus profile of FormSpy for more information.
A couple things to keep in mind, McAfee has declared FromSpy as a low risk virus. Further the only way FormSpy is going to get on your machine is if you open the e-mail attachment from the bogus WalMart.com e-mail. Most users know better than to open e-mail attachments and further most anti-virus programs scan incoming e-mail attachments.