A freely available Trojan has been circulated that steals passwords stored within Firefox, Internet Explorer and the Windows Registry, security company Webroot reported last Wednesday.
The Trojan, which Webroot named Trojan-PWS-Nslog, modified a core Firefox file — nsLoginManagerPrompter.js — to make the web browser automatically save users' login credentials without asking their consent. It also took information from Internet Explorer's password storage area, along with the Windows Registry. The web server that the Trojan sent its data to is no longer active, according to Webroot.
Upon analysing the Trojan's source code, Webroot found that it contained the creator's name and email address. With this, they were able to track the creator to a message board, where it became apparent that he had distributed the Trojan as a free download. Webroot eventually found his Facebook profile, and discovered that he was based in Kiraj, Iran.
Though Webroot and other antivirus companies can detect and remove the Trojan, they cannot fix the modified file, Webroot said. However, downloading a new Firefox installer will, during the installation process, naturally overwrite the modified file.
Neither Microsoft nor the Mozilla Foundation had issued Trojan-specific patches at the time of writing.