We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

ابحث في الدعم

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

14.0.1 is prone to virus infection

more options

Hi, Last night while browing several websites at once, nod32 detected and stopped a virus. A virus that had made its way to C:\.....Local Settings\Application Data\{6182CAA3-E057-11E1-8270-B8AC6F996F26} The virus was Redirector.NIQ trojan. (a nasty one)

At the time, I didn't think it entered through firefox, but today.. that opinion's changed. I opened the quarantined virus file in notepad and I see this...

<?xml version="1.0" encoding="utf-8"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">

<Description about="urn:mozilla:install-manifest">
    <em:name>Mozilla Safe Browsing</em:name>
    <em:version>2.0.14</em:version>
    <em:type>2</em:type>
    <em:id>{6182CAA3-E057-11E1-8270-B8AC6F996F26}</em:id>
    <em:creator>Mozilla Corp.</em:creator>
    <em:description>Warns the user when visiting a fake or compromised site.</em:description>
.......


Now i'm not sure where to submit this but that virus has found a way to trick Firefox into doing it's dirty work for it.

The file and it's folder was created last night at the same time my antivirus picked it up.

Hi, Last night while browing several websites at once, nod32 detected and stopped a virus. A virus that had made its way to C:\.....Local Settings\Application Data\{6182CAA3-E057-11E1-8270-B8AC6F996F26} The virus was Redirector.NIQ trojan. (a nasty one) At the time, I didn't think it entered through firefox, but today.. that opinion's changed. I opened the quarantined virus file in notepad and I see this... <br /><br /> <pre><nowiki><?xml version="1.0" encoding="utf-8"?> <RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#"> <Description about="urn:mozilla:install-manifest"> <em:name>Mozilla Safe Browsing</em:name> <em:version>2.0.14</em:version> <em:type>2</em:type> <em:id>{6182CAA3-E057-11E1-8270-B8AC6F996F26}</em:id> <em:creator>Mozilla Corp.</em:creator> <em:description>Warns the user when visiting a fake or compromised site.</em:description> </nowiki></pre>....... Now i'm not sure where to submit this but that virus has found a way to trick Firefox into doing it's dirty work for it. The file and it's folder was created last night at the same time my antivirus picked it up.

Modified by cor-el

All Replies (3)

more options

Malware masquerading under a comforting name or borrowing text strings from other software isn't a new trick, although this particular one might be new.

Is that the full path, i.e., it is directly under Application Data rather than a Mozilla folder? I don't think Firefox writes to that location, or lets web pages write to that location. Add-ons might be to do that, however.

Can you verify that your plugins are up-to-date? See:

http://www.mozilla.org/plugincheck/

Also, you can check for updates to your add-ons using the "gear" icon here:

orange Firefox button or classic Tools menu > Add-ons

While you're there, check the Extensions list for anything nonessential or suspicious and disable it.

more options

It was in the c:\documents and settings..................

As for the plugins, outdated ms silverlight, shockwave flash and acrobat. Java is so old, firefox has had it disabled for months. Quicktime disabled too.

As for the other plugins, Windows Media Player Plug-in Dynamic Link Library DivX Web Player Google Talk Plugin Google Talk Plugin Video Accelerator Microsoft® DRM Windows Presentation Foundation iTunes Application Detector

As for extensions.. the only thing I have active in there is all-in-one gestures (mouse gestures).

I can try finding the exact website again or try un-quaranteeing the file and looking at it from notepad but I don't trust windows to only read and not load.

Also, I forgot to mention, the file nod32 blocked was called install.rdf I see that file name is typical for a mozilla install manifest.

more options

.rdf files are not executable in Windows, but I wouldn't open them in a browser.

Definitely want to update your Flash to something secure, either 10.3 or 11.3.