NOTE: Further investigation has revealed that all versions of Sothink Web Video Downloader are malware free. For more, read our update.
Issue
Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
Impact to users
If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections.
Status
This vulnerability is known to affect Firefox on Windows only, if either Master Filer or Version 4.0 of Sothink Web Video Downloader are installed. Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.
Credit
This issue was originally reported by CatThief.
Antivirus Software
Here is a list of antivirus programs known to detect the trojans found in the affected add-ons.
Antiy-AVL
Avast
AVG
GData
Ikarus
K7AntiVirus
McAfee
Norman
VBA32
ftofficer
wrote on
XtC4UaLL
wrote on
Omega X
wrote on
Gerv
wrote on
Pino
wrote on
Kirkburn
wrote on
Jorge
wrote on
Carl Chapman
wrote on
Olivier SC
wrote on
Alan Baxter
wrote on
Fred
wrote on
dan
wrote on
Kirkburn
wrote on
Andreas
wrote on
Jorge
wrote on
Herbert
wrote on
Toby
wrote on
Salih Emin
wrote on
Arc
wrote on
JohnT
wrote on
Nex Necis
wrote on
SF
wrote on
tttt
wrote on
Fred
wrote on
Calimo
wrote on
Ben Bucksch
wrote on
Ben Bucksch
wrote on
john
wrote on
an Opera User
wrote on
fred
wrote on
me3
wrote on
Daniel Molina Wegener
wrote on
Mark
wrote on
john
wrote on
gbell
wrote on
Alan Baxter
wrote on
A2D
wrote on
Horacio
wrote on
Paul
wrote on
LeomanBK
wrote on
Giorgos
wrote on
Manuel
wrote on
Barry
wrote on
victor
wrote on
me
wrote on
Jeshmal4u
wrote on
Alan Baxter
wrote on
32-bit enthusiast
wrote on
Greg Shoults
wrote on
Arthur
wrote on