Thanks a lot to our reader David who took the time to analyze this in more detail. It appears to be a "harmless" plugin / maybe adware. But no passwords are stolen this time. Thanks!

A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.

The origin appears to be russian. The link went to ht tp : //qs-s.  nm.  ru (again: inserted spaces to protect the innocent)

The e-mail:

Subject
We have received mnoey. Here your book. Read and grow rich!
Body
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!

(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).

 Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute