A Firefox Trojan forces the browser to save user passwords and then uses those passwords to create a new user account on the infected computer. Most security minded folks recommend not to save browser passwords, since they are so easily extracted. The Trojan-PWS-Nslog phishing tool discovered by security company Webroot gets around user preferences altogether by actually deactivating the Firefox option that the user whether it should save passwords when the user logs into a secure site.
The Trojan creates a new account under the name “Maestro” on the infected computer, and scrapes information from the registry, from the so-called Protected Storage area used by IE to store passwords, and from Firefox’s own password storage, and tries to pass the stolen information to a malicious domain, once per minute. The domain intended to receive the stolen data has already been shut down. Code inside the malware revealed the author’s name and email address, which led Webroot to a Facebook page for a hacker based in Iran who provides a free keylogger creator tool targeting users of Microsoft Windows.
TechWorld has more details and advice on how to clean an infected browser.