If Mozilla included a virus in Firefox, I wouldn’t be suggesting bugfixes to make the virus more user friendly. I would point to the general ethos to not build viruses into their software.

The technical problem (i.e. the one relevant to the dev team) is how the virus got into the release product. If it was intentional, it's a management problem and there's no point in talking to the dev team further. If it was due to a breach in their infrastructure, then it absolutely is relevant to discuss w/ the dev team to ensure the breach is contained and fixed.

hardcoding an addon that promotes...

This again can be split into two groups:

• technical - opt-in vs opt-out may be a technical decision the devs can make; if it's opt-out, whether it collects information by default may be a dev decision
• management - whether it should be hard-coded, opt-in vs opt-out, collect user data or not, etc; there's no point in discussing these with the dev team once it's clear it's not their choice

Target the complains at the right group.