(Java.ByteVerify.exploit trojan

[PhiloVance]

Just found I have this trojan: (Java.ByteVerify.exploit trojan. My eTrust AV program was unable to delete/rename it. How do I get rid of it? Thanks

[PhiloVance]

Sorry, should have given more info:

Win xp home + sp1
Dell 450 Pentium 2
450mhz 328mb ram


Also see attached log.

Thanks.

[Paul Wilders]

Philo,

In order to make sure (as much as possible) this isn't a false positive, use the free services available to check these particular files. Have a look over on our free services page.

Keep us posted.

regards.

paul

[StAnger]

Try this:
Close all browsers, Start > Settings > Control panel > Java Plugin [version number] > Choose Cache and click remove JAR Cache.

[StAnger]

Sorry Paul,

Didn't mean to get in your way.

[microwave]

Quote:

quoting: StAnger link=board=30;threadid=13039;start=0#msg83579 date=1062167048]
Sorry Paul,

Didn't mean to get in your way.

Now you've done it - boss is coming after you!

microwave

[PhiloVance]

Thanks for the link to the free services page. Will do when I get home (at work right now). And double thanks for your quick response.

Please let me begin with an apology for not being particularly computer literate...
I run Vet anti-virus software on my computer, and recently received notification of this trojan while doing a virus check.
I did as you suggested, and performed an on-line scan which did not detect any problems.
Interestingly, it appears that the offending folders, as identified by Vet, are applets, etc. downloaded when playing games like TextTwist and Collapse on Yahoo. Could these be potentially harmful?
At any rate, I located and emptied the folder.
Incidentally, when I followed your suggestion, and located the Jave plug-in settings, I couldn't find a jar cache, only a jpi cache. Should I have cleared that as well? Please pardon my ignorance.
I found this site by doing plugging Vet's findings into Google, and I just want to say that you guys are incredibly knowledgeable and helpful
If I hadn't found this site, I would have been stumped: having found out I have a trojan that couldn't be removed from the system.
Thank you!

[Pieter_Arntz]

Hi Elle_N,

I'm not sure if there are version differences for Sun Java, but this is what I get when I click the Folder icon behind .jpi cache.

HTH,

Pieter

My AV (Same as you Philo) picked it up this morning. I just installed the AV, so I do not know how the files got there (Recently reformatted system).

Here is a portion of my log:
C:\Documents and Settings\Jared Silva\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-10ff38d8-7370db5d.class - Java.ByteVerify.exploit trojan. Deleted.
C:\Documents and Settings\Jared Silva\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-6bd7446e-320b0bf5.class - Java.ByteVerify.exploit trojan. Deleted.

You can find virus information here:
http://vil.nai.com/vil/content/v_100261.htm

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp

According to MS, if you upgrade Microsoft VM to version 3810 or later, you are fine.

I do not even have Microsoft VM on my system, so I do not think I have anything to worry about.

[PhiloVance]

Sorry so late in reporting back. I tried several sites, the one who also found this trojan was http://housecall.trendmicro.com/

I deleted the trojan after taking STAnger's advice.

Later on 8/31 I got the attached and was able to delete it, but just deleted to my recycle bin then emptied the recycle bin. Must be why it appears in my restore area. Had to turn off system restore, reboot, and turn it back on. All seems well now...no trojans or virus for a few days.

[PhiloVance]

Here's the attached...didn't seem to work last time.

Thank you all so much for your help

And for taking the time to explain where the other cache is located.

All the best,
Elle

[keith]

Sorry but I'm a little confused here. StAnger advised to delete the jar folder contents and yet my virsu scan shows the infected files as being in the .jpi_cache folder. Surely I should delete the contents of the .jpi_cache folder to erase the virus. Could someone confirm what I should do as I don't really want to guess, the results could be dramatic (I think).

Thanks,

Keith

[StAnger]

This is the part of Philovance log:

C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d962-64f7e647.zip>VerifierBug.class - Java.ByteVerify.exploit trojan.
C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d962-64f7e647.zip contains infected files.
C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d966-542fd7fa.zip>VerifierBug.class - Java.ByteVerify.exploit trojan.
C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d966-542fd7fa.zip contains infected files

Follow the path where your scanner found the Exploit and you'll be fine.

[keith]

Sorry to be a pain here, but can I delete all of the contents of the .jpi_cache folder (to be ceratin I get rid of the virus completely) or is that likely to cause damage to the system? I don't know what the folder is used for.

[Pieter_Arntz]

Hi keith,

I just hit the Clear button for the .jpi_cache (after checking, there was nothing in there) and the subfolders remain in place, so it won´t destroy any important folders.

Regards,

Pieter

[keith]

Excellent news. Followed the advice, clearing the .jpi_cache folder via the Java plugin route and the next scan I ran found no virus. Looks like the machine is clean again. Thanks for all the help.

My only concern now is, where did I pick the virus up from?? My machines sit behind a Netgear FR314 router and firewall so I thought I was safe from infections.

Any one got any ideas?

[Pieter_Arntz]

Hi keith,

Most likely from a site you visited. What is stored in this cache are java-applets. The easiest comparison would be with the items Windows stores in your Downloaded Program Files folder.
Little programs that can be called upon from a website you´re visiting.

Regards,

Pieter

[keith]

If the virus can be picked up just browsing the internet then I suppose I'm never really going to know whether or not my machine gets infected at any time. Pity, because I had hoped that the router firewall might have helped prevent the downloading of "dubious" data. I assume therefore that the only answer is to complete virus scans on a daily basis as my AV package didn't notify me that an infection was within any page I had browsed.

Thanks again for the very helpful advice.

Regards,

Keith.

[Pilli]

Keith, I can reccommend the following programmes: Port Explorer from www.diamondcs.com.au this programme will allow you to see any ougoing connections and stop them in real time, also from the same company TDS3 (Anti-Trojan) and WormGuard which will protect against unknown and potentially dangerous scripts and worms

HTH Pilli

Quote:

quoting: Pilli link=board=30;threadid=13039;start=15#msg85486 date=1062778273]
Keith, I can reccommend the following programmes: Port Explorer from www.diamondcs.com.au this programme will allow you to see any ougoing connections and stop them in real time, also from the same company TDS3 (Anti-Trojan) and WormGuard which will protect against unknown and potentially dangerous scripts and worms

HTH Pilli

How to prevent my ie from opening redirections when i am visiting infected www by Java.ByteVerify.exploit trojan?

Is it possible? Do I have to close the application and clear my internet temporary files eachtime?

Regards,
Piotr

[Pieter_Arntz]

Hi Piotr,

If you are using the Microsoft Virtual Machine: http://www.microsoft.com/technet/tre...n/MS03-011.asp

If you are using the Sun Java:
Start > Control Panel > Java Plug-In > Cache tab > remove the checkmark before enable caching.

Regards,

Pieter

[Libra]

Hi,
I'm just curious (I don't have that trojan) but I was reading the thread and decided to look for that Java Plugin. I don't have any Java Plugin in my Control Panel. I'm running Windows 98se and IE6 SP1 and java came with the pc. I have the latest build. Where is my cache/jar located? (I don't have the C:\documents and xxx either).
Thanks.
Sincerely, Libra

[Pieter_Arntz]

Hi Libra,

The Java Plug-In in the Control Panel is only present if you are using Sun's Java.
The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

Regards,

Pieter