The malware will, for instance, simply comment out Firefox's confirmation request in the nsLoginManagerPrompter.js file and add a line with automatic storage instructions. The H's associates at heise Security were able to reproduce the effect of the manipulations – manipulations which the malware author probably borrowed from a work around that has been in circulation since 2009.
The manipulation works on all platforms on which the Trojan has the rights to modify the nsLoginManagerPrompter.js file. In tests this worked on Windows XP, Windows 7 and Ubuntu 10.04.
Link to Original Source