Several of my clients report this trojan since Jan. 14th. Seems to be a varient of the Cool Web Search trojan, adapted for Firefox. Has anyone encountered this and have advice for removal?
Point of entry: User receives an email with a "Reply-to" field entry of a known acquaintance, recommending a Firefox extension. User adds the extension to Firefox, usually some kind of search bar or weather service.
Behavior: Extension works, but one to several minutes after opening, three separate firefox windows open and then each begins to spawn tabs. Several of the tabs contain what appears to be google search results for various porn sites with addresses URL encoded, others contain seriers of links to porn and off shore gambling sites. Subsequent tabs appear to be the pages linked to by the first tabes. When user closes tabs, new ones are spawned making closure extremely difficult. Many tabs contained direct links to media such as WMVs and pictures.
The extension also appares to monitor whether the user visits common mail servers like yahoo and gmail, and attempts to load email address out of the pages viewed. Does not appear to have a key listener component or a local directory search.
Likely intent: We guess that it is attempting simulate clickthrus from different users, to augment google search placement and to generate revenue directly from sites paying per click for advertising
Countermeasures: Removed Firefox completely from system using Erase Beyond Recovery mode, and all temporary file areas. Note - did not appear in HiJack this.