Trj/Java.Binny.A

Discussion in 'Trojan Defence Suite' started by tokdok, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. tokdok

    tokdok Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    11
    Location:
    Slapout, Alabama
    Sorry, I couldn't find mention of this trojan by a search: Trj/Java.Binny.A.

    The online scans at PC Pitstop and Bitdefender detected it, and Bitdefender disinfection failed. TDS and AVG Free Edition do not detect. Wondering how to get rid of it; or if a false positive. TDS is up to date.

    Path:

    C:\Documents and Settings\Charles Pelham\Application
    Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
    archive.jar-68ec1667-270b35e5.zip

    Thanks,
    charlie
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there!
    Can you please submit the zip to submit@diamondcs.com.au ? Thanks in advance!
    It has various names, yours might be another variety.

    From the viruslist description:
    http://www.viruslist.com/en/viruses/encyclopedia?virusid=57696
    Aliases:
    Trojan.Java.Binny.a (Kaspersky Lab) is also known as: JV/Shinwow (McAfee), Trojan.ByteVerify (Symantec), Troj/Clsldr-A (Sophos), Java/Binny.A.2 (H+BEDV), Java.Trojan.Binny.A (SOFTWIN), Java.Trojan.Binny.A-2 (ClamAV), Trj/Java.Binny.A (Panda)
    The applet contains three files:
    mein.class, which is 2031 bytes in size. This is the main program function, and also contains the exploit function
    binny.class, which is 3464 bytes in size. This array variable is launched using the exploit
    beyond.class, which is 972 bytes in size. This file writes the program which binny.class contains to disk and launches it
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tokdok, Your other AV may be stopping TDS3 from detecting it. Also you may need to enable Scanning inside .zi/.rar file and unpack compressed.exe's

    Anyway to do a full scan with no interference reboot into Safe mode by pressing F8 a few times before Windows starts, then enable all of the scan options in TDS3 - Select all physical drives and do the scan.
    This is a very deep scan and will take quite a time depending upon amount of files to be scanned and your machine's specifications.

    And, of course, do submit the file as Jooske has suggested :)

    HTH Pilli.
     
  4. tokdok

    tokdok Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    11
    Location:
    Slapout, Alabama
  5. tokdok

    tokdok Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    11
    Location:
    Slapout, Alabama
    I'll go do that right now.
    Thanks,
    cp
     
  6. tokdok

    tokdok Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    11
    Location:
    Slapout, Alabama
    Hi Pilli,

    The computer will not go into safe mode. (Sure sign of trouble...) I doublechecked updates and scanned in normal mode (all options enabled) with no trojan found.


    Update: Got into safe mode and ran full scan; no results....
    cp

    Last update for the night:
    I ran ccleaner, which unceremoniously wiped out all that Jave crap, and 3 different web virus scans now say my system is clean.
    So, am I clean?
     
    Last edited: Feb 22, 2005
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for replying tokdok, Hopefully DCS will analyse the file(s) and add them to their latest definitions if it / they are malware.
    Regarding more analysis of your own machine, following the some or all of the steps here: https://www.wilderssecurity.com/showthread.php?t=50662 will help ensure that your system is clean.

    Pilli. :)
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    By the looks of it you should be clean now.
    Good you tried the various online scanners already as that would have been my next suggestion.
    You might like to have a look with the AutoStartViewer (DiamondCs free products site) if there is anything suspicious trying to do anything nasty.
     
  9. tokdok

    tokdok Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    11
    Location:
    Slapout, Alabama
    Hi Pilli,
    I did all of the steps (maybe not 3 times) and everything comes up clean. Maybe we can announce a new method for dealing with a trojan: just delete the dadgum file! And maybe advise Firefox users to empty the Java cache often....

    I'll wait for future updates & developments before declaring victory. Thanks for your help.

    charlie
     
  10. tokdok

    tokdok Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    11
    Location:
    Slapout, Alabama
    Hi Jooske,
    I downloaded that file, and all looks OK so far. Thanks for your help.
    charlie
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Charlie i'm really happy to see you're system is clean and safe now!
    The bad part all that work and scanning, the good part you learned definitely lots from all that! And with that experience you can save people around with their systems!
     
Thread Status:
Not open for further replies.