(Java.ByteVerify.exploit trojan

Discussion in 'malware problems & news' started by PhiloVance, Aug 29, 2003.

Thread Status:
Not open for further replies.
  1. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Just found I have this trojan: (Java.ByteVerify.exploit trojan. My eTrust AV program was unable to delete/rename it. How do I get rid of it? Thanks
     
  2. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Sorry, should have given more info:

    Win xp home + sp1
    Dell 450 Pentium 2
    450mhz 328mb ram


    Also see attached log.

    Thanks.
     

    Attached Files:

  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Philo,

    In order to make sure (as much as possible) this isn't a false positive, use the free services available to check these particular files. Have a look over on our free services page.

    Keep us posted.

    regards.

    paul
     
  4. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Try this:
    Close all browsers, Start > Settings > Control panel > Java Plugin [version number] > Choose Cache and click remove JAR Cache.
     
  5. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Sorry Paul,

    Didn't mean to get in your way.
     
  6. microwave

    microwave Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    6
    Now you've done it - boss is coming after you! :cool:

    microwave
     
  7. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Thanks for the link to the free services page. Will do when I get home (at work right now). And double thanks for your quick response.
    :cool:
     
  8. Elle_N

    Elle_N Guest

    Please let me begin with an apology for not being particularly computer literate...
    I run Vet anti-virus software on my computer, and recently received notification of this trojan while doing a virus check.
    I did as you suggested, and performed an on-line scan which did not detect any problems.
    Interestingly, it appears that the offending folders, as identified by Vet, are applets, etc. downloaded when playing games like TextTwist and Collapse on Yahoo. Could these be potentially harmful?
    At any rate, I located and emptied the folder.
    Incidentally, when I followed your suggestion, and located the Jave plug-in settings, I couldn't find a jar cache, only a jpi cache. Should I have cleared that as well? Please pardon my ignorance.
    I found this site by doing plugging Vet's findings into Google, and I just want to say that you guys are incredibly knowledgeable and helpful :)
    If I hadn't found this site, I would have been stumped: having found out I have a trojan that couldn't be removed from the system.
    Thank you!
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Elle_N,

    I'm not sure if there are version differences for Sun Java, but this is what I get when I click the Folder icon behind .jpi cache.

    HTH,

    Pieter
     

    Attached Files:

  10. Kwea

    Kwea Guest

    My AV (Same as you Philo) picked it up this morning. I just installed the AV, so I do not know how the files got there (Recently reformatted system).

    Here is a portion of my log:
    C:\Documents and Settings\Jared Silva\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-10ff38d8-7370db5d.class - Java.ByteVerify.exploit trojan. Deleted.
    C:\Documents and Settings\Jared Silva\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-6bd7446e-320b0bf5.class - Java.ByteVerify.exploit trojan. Deleted.

    You can find virus information here:
    http://vil.nai.com/vil/content/v_100261.htm

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp

    According to MS, if you upgrade Microsoft VM to version 3810 or later, you are fine.

    I do not even have Microsoft VM on my system, so I do not think I have anything to worry about.
     
  11. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Sorry so late in reporting back. I tried several sites, the one who also found this trojan was http://housecall.trendmicro.com/

    I deleted the trojan after taking STAnger's advice.

    Later on 8/31 I got the attached and was able to delete it, but just deleted to my recycle bin then emptied the recycle bin. Must be why it appears in my restore area. Had to turn off system restore, reboot, and turn it back on. All seems well now...no trojans or virus for a few days.



    :cool:
     
  12. PhiloVance

    PhiloVance Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    93
    Location:
    Bakersfield, CA
    Here's the attached...didn't seem to work last time.
     

    Attached Files:

  13. Elle_N

    Elle_N Guest

    [move]Thank you all so much for your help[/move]

    And for taking the time to explain where the other cache is located.

    All the best,
    Elle :-*
     
  14. keith

    keith Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    4
    Sorry but I'm a little confused here. StAnger advised to delete the jar folder contents and yet my virsu scan shows the infected files as being in the .jpi_cache folder. Surely I should delete the contents of the .jpi_cache folder to erase the virus. Could someone confirm what I should do as I don't really want to guess, the results could be dramatic (I think).

    Thanks,

    Keith
     
  15. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    This is the part of Philovance log:

    C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d962-64f7e647.zip>VerifierBug.class - Java.ByteVerify.exploit trojan.
    C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d962-64f7e647.zip contains infected files.
    C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d966-542fd7fa.zip>VerifierBug.class - Java.ByteVerify.exploit trojan.
    C:\Documents and Settings\Joseph\.jpi_cache\jar\1.0\archive.jar-27b6d966-542fd7fa.zip contains infected files

    Follow the path where your scanner found the Exploit and you'll be fine.
     
  16. keith

    keith Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    4
    Sorry to be a pain here, but can I delete all of the contents of the .jpi_cache folder (to be ceratin I get rid of the virus completely) or is that likely to cause damage to the system? I don't know what the folder is used for.
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi keith,

    I just hit the Clear button for the .jpi_cache (after checking, there was nothing in there) and the subfolders remain in place, so it won´t destroy any important folders.

    Regards,

    Pieter
     
  18. keith

    keith Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    4
    Excellent news. Followed the advice, clearing the .jpi_cache folder via the Java plugin route and the next scan I ran found no virus. Looks like the machine is clean again. Thanks for all the help.

    My only concern now is, where did I pick the virus up from?? My machines sit behind a Netgear FR314 router and firewall so I thought I was safe from infections.

    Any one got any ideas?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi keith,

    Most likely from a site you visited. What is stored in this cache are java-applets. The easiest comparison would be with the items Windows stores in your Downloaded Program Files folder.
    Little programs that can be called upon from a website you´re visiting.

    Regards,

    Pieter
     
  20. keith

    keith Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    4
    If the virus can be picked up just browsing the internet then I suppose I'm never really going to know whether or not my machine gets infected at any time. Pity, because I had hoped that the router firewall might have helped prevent the downloading of "dubious" data. I assume therefore that the only answer is to complete virus scans on a daily basis as my AV package didn't notify me that an infection was within any page I had browsed.

    Thanks again for the very helpful advice.

    Regards,

    Keith.
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Keith, I can reccommend the following programmes: Port Explorer from www.diamondcs.com.au this programme will allow you to see any ougoing connections and stop them in real time, also from the same company TDS3 (Anti-Trojan) and WormGuard which will protect against unknown and potentially dangerous scripts and worms :D

    HTH Pilli
     
  22. sjnet

    sjnet Guest

    How to prevent my ie from opening redirections when i am visiting infected www by Java.ByteVerify.exploit trojan?

    Is it possible? Do I have to close the application and clear my internet temporary files eachtime?

    Regards,
    Piotr
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  24. Libra

    Libra Registered Member

    Joined:
    May 26, 2003
    Posts:
    42
    Hi,
    I'm just curious (I don't have that trojan) but I was reading the thread and decided to look for that Java Plugin. I don't have any Java Plugin in my Control Panel. I'm running Windows 98se and IE6 SP1 and java came with the pc. I have the latest build. Where is my cache/jar located? (I don't have the C:\documents and xxx either).
    Thanks.
    Sincerely, Libra
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Libra,

    The Java Plug-In in the Control Panel is only present if you are using Sun's Java.
    The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.