Firefox hangs because of malware

In the last few weeks, starting from the end of March, we noticed a strange spike in requests on the Italian support forum. The symptoms described were always the same:

  • Pages stop loading after a few minutes of normal browsing.
  • When the user tries to restart the browser he gets the error message “Firefox is already running but is not responding“.
  • Other browsers on the same system are not affected and work without problems.

Since Firefox stopped working at the same time of the Firefox 3.0.8 release, a lot of people thought that the problem was caused by the last update, so they were searching the best way to go back to a previous version.

The usual solutions were not effective: safe-mode, disable plug-ins, temporarily disable antivirus and firewall, reinstall the last version in a different folder, create a new profile.

From the beginning we were able to restrict the problem to the Windows platform, so we thought of some sort of malware. By the evidences we’ve collected so far, the problem seems to be caused by a variant of the Navipromo Adware, not identified by most of the antivirus softwares (see this virus total’s analysis).

Users found suspect files in the local %Appdata% folder (C:\Documents and Settings\%User%\Local Settings\Application Data on Windows XP, C:\Users\%user%\AppData on Windows Vista):

  • [random_name].exe
  • [name_of_exe].dat
  • [name_of_exe]_nav.dat
  • [name_of_exe]_navps.dat

After killing the .exe process in Task Manager, Firefox returns to its normal behavior.

There are still two unanswered questions:

  • Why does only Firefox (and not other browsers) hang?
  • Why now and so hard in Italy? This adaware seems to be quite old.

If you’re interested, there’s a bug and an ongoing discussion on the SUMO Contributors’ forum.

Thanks to all the guys of the Italian project and SUMO for the support and the great team work of the last days 😉

Technorati Tags: , ,