This is the conclusion of Bkis R&D – department specializing in virus research.
On February 04, 2010, Mozilla warned on its blog that two plug-ins for Firefox browser contain Trojan. Specifically, Version 4.0 of Sothink's Web Video Downloader contains Win32.LdPinch.gen, and Master Filer contains Win32.Bifrose.32.Bifrose Trojan. Currently these two add-ons have been already removed from the page https://addons.mozilla.org/en-US/firefox/ (AMO)
According to Mozilla, users' computers which are installed with these plug-ins will be infected with malware. Uninstalling these plug-ins does not help remove virus completely. They have to scan their computers with antivirus softwares. Mozilla also said that many people have downloaded and installed these add-ons onto their machines. According to AMO's statistics, "Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008."
PWS:Win32/Ldpinch.gen virus detection has been around since at least February 2008, and Win32.Bifrose.32.Bifrose Trojan has been detected since 2006. So, a software containing malwares detected for quite a long time has been uploaded since 2008. However, Mozilla does not recognize that. Previously, the Vietnamese language pack for Firefox 2 was infected with malicious code. This incident together with the currently mentioned issue causes many people to doubt about Mozilla's security competence.
Studying more about two add-ons, we have found some information as follow:
Plugin Master Filer: developed by Haklinim. On December 11, 2009, Xavius, an AMO's user, warned that this plug-in was identified as virus by Kapersky. This is not a popular plug-in, and its developer is also an individual who is not widely known. Currently, Mozilla has removed this plug-in, so we do not have the download link to check it.
(Plugin Master Filer on AMO)
Plugin Sothink Web Video Downloader is the product of Source Tec (http://www.sothink.com/). This is a Chinese company which specializes in flash-related software. The company also mentions this issue on its blog and says that this is a false warning of AVs since it uses Armadillo packer to pack the product. In addition, this product has been upgraded to version 5.7, and this version is not recognized as malware by AVs.
However, currently all the links installing Sothink Web Video Downloader are still prevented by Mozilla.
(Plugin Sothink Web Video Downloader has been removed by Mozilla)
So what is the truth behind all of this? Is Sothink's plug-in for Firefox infected with malware?
Fortunately, we have found the setup file of Sothink's plug-in version 4.0 and scanned it with Virustotal. And the result is that all the virus names and the AVs that detect such viruses are the same as Mozilla's description.
Result of add-on file scan
According to our analysis, this plug-in contains a component named nsCatcher.dll, and it is identified as Trojan/Win32.LdPinch.gen by AVs.
Reports of nsCatcher.dll file scan on Virustotal
We have sent nsCatcher .dll file to Bkis R&D for analysis. And the result is that this is a clean file and it functions normally.
(PeiD recognizes this file as Armadillo)
File nsCatcher .dll is packed by Armadillo. This coincides with Sothink's explanation.
So it can be concluded that Sothink's plug-in for Firefox is not a malware. Some AVs have misidentified it as malware. Moreover, Firefox's warning about this plug-in is not completely correct.
Author: Le Minh Hung - Bkav TaskForce