Java/TrojanDownloader.OpenConnection.AQ trojan

Discussion in 'ESET NOD32 Antivirus' started by djackino, Dec 8, 2011.

Thread Status:
Not open for further replies.
  1. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    ESET NOD 5.0.93, defs 6695

    I am getting the following messages from ESET (all are the same, example shown here):
    12/8/2011 12:52:50 PM HTTP filter file
    ~url removed~ a variant of Java/TrojanDownloader.OpenConnection.AQ trojan
    connection terminated - quarantined <domain name>\<user name> Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

    I scanned java.exe and it is clean. I ran ESET and Malware Bytes scans and found nothing.

    This first came up when I went to a website that I thought was a computer help site (not the k71e74.com website shown in the log entry). I have received 2 groups of these messages, it is just getting annoying to have to keep seeing them. ESET quarrantined a file and I sent it off for analysis.

    I also killed a java.exe process twice which has been shown to be running in task manager (and indicated in the log message). I have JRE 1.6 level 23 installed on the computer. The process seems to come back and try and access the .jar file on the website (rootkit?). The java.exe file is clean, according to ESET. For now, I renamed the file to java.exebak as I am not using the one app that requires it.

    Any ideas are greatly appreciated.
     
    Last edited by a moderator: Dec 8, 2011
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I assume that a Java script triggered on your machine attempted to download a Trojan downloader which was subsequently blocked by ESET. Is the threat continually being detected or it happened just once?
     
  3. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    i would reccomend uninstalling all current java versions and use eiether java 6 update 29 or java 7 update 1 after the threat is sorted.
     
  4. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    I uninstalled Java Runtime after determining with my IT guy that it is not need on my machine anymore. No messages have appeared since.

    The threat happened twice. Initial at 10:30am ET, then around 12:30pm ET.
    I suspect something is still lurking around my computer, trying to fire up a non-existant java.exe every so often. All scans still showing clean (ESET, Malware Bytes, and Spybot). Anything else I should try?

    Thanks.
     
  5. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    I think you had a Java version with a known vulnerability, and a website was exploiting that. They payload that was sent was then detected by ESET.
     
  6. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    Hitman Pro would be worth a try.
     
  7. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    Clean run for Hitman Pro - just some tracking cookies. RKill also reports nothing.

    I did get this logged recently while on a fire fighting webpage:
    12/9/2011 12:30:56 PM HTTP filter file -http://gm21wv.com/news- JS/Kryptik.EC trojan connection terminated - quarantined TFSG\djackino Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
     
    Last edited by a moderator: Dec 9, 2011
Thread Status:
Not open for further replies.