Trojan Downloader.Open Stream.NAB

A customer ran a Nod32 v2.7 in depth scan & got this message:

C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0\45\2bbf6c6d-2d8e6380 is infected with Trojan/Java/Trojan Downloader.Open Stream.NAB

Nod32 was unable to clean the file, so I asked the customer to run Prevx CSI which found nothing. He will run a further Nod32 scan in Safe mode tonight.

Could this be a FP?

 

Prevx CSI scans only for active threats; i.e. files loaded in memory and startup files. In this case it's an dormant cache file, hence Prevx isn't going to detect it.

 

Should EAV/NOD32 fail to delete the folder:

Make him use Pocket Killbox to delete the whole folder

C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\6.0

This is cache/temporary files

 

Thanks, I didn't realise that!

 

Thanks, I've sent him a link.

 

He used Pocket Killbox & ran a delete on reboot. After a further scan he found the same virus this time in the Pocket Killbox directory! He's now deleted the directory & running yet another scan!

 

Glad to know

Sure , because Killbox have deleted the file/folder from its original location but have made a back-up/copy of it , just in case. Pretty normal

Recommend your client to install EAV v 3.0 for better cleaning and more automated cleaning mechanism

 

Not sure that a backup copy of a trojan is needed?

I'm not running v3 on my own systems yet, I can't run them on customer systems until I'm happy that they are reliable. The last time I checked, the forum was full of v3 issues.

 

I found it recently on my Vista Dell 531. Same thing, couldn't clean it so I took a deep breath and deleted outright and rebooted, rescanned and it wan't there.

Question; Should I create new restore points, (1, 2 or 3?) and delete all but the last point? I'm a home user not a help desk pro. This thing might have been copied onto my partition. Can I scan that?
I found this site by googling "trojan downloader NAB".

Thanks in advance for any help.

 

You can flush the System Restore points by disabling the options and then immediately reenabling it

 

One interesting thought... how did Nod32 let this trojan past in the first place?

 

I guess ... Either 1 or 2 ... or both

1) 2bbf6c6d-2d8e6380 is some kind of archive , it simply can't be a whole folder . AMON doesn't scan archives in real-time
2) Detection was added after the user got the trojan inside

 

I believe it was an archive.

 

Threats inside archives are detected upon extraction.

 

Actually, it was a cache file.

C:\Users\\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\74018dd6-7765baaa »ZIP »OP.class - Java/TrojanDownloader.OpenStream.NAB trojan

I removed the user name for obvious reasons.

This is a copy of the log file. My buddies, who know far more about this stuff than I do told me it might be a part of my Rhapsody streamer or Comcast's Fancast streamer. I haven't had time to test the theory.
I did eliminate it from restore by creating 1 point and getting rid of the rest, after I simply deleted the files and re-booted. (Which was probably unnecessary but, I like to thorough.)

I thank everybody for their replies.

Oh yeah, I also wonder how it got past NOD 32 when I have all monitors turned on and the reason I suspect the two apps is because those were the only two streamers I added the day that NOd found it. I have it scan every night while I sleep of course.

 

Interesting, my NoD32 v2.5 found 2 as follows: 1) C:\windows\Temp\$558767A.t$m
2) C:\windows\Temp\$3BC84D19.t$m
I went to my temp file and it was empty, this was also a Java/TrojanDL.OpenStream.NAB Trojan.

 

Can anyone say what this thing does or is it relatively harmless?

Can't find any such description on web.

I'm asking 'cos NOD32 just detected it for me

 

I have not had a problem since I deleted the file created a restore pointand used disc clean up to rid infected restore points. I had originally thought it ws actually a by-product of Rhapsody of Fancast. I hve used both since and it has not turned up.
I am not a techie nor a guru. I'm simply a home / work user with educated friends. I decided on my own take the actions I listed. My pc runs fine and it has not shown up again. So I recommend you go to the file, delete it completely, create a new restore point, delete the rest through disc clean up and restart. On my pc it was a cache file. From my small amount of knowledge that is an odd place to direct a trojan to but what do I know?

I believe the other folks up the string make a living at this stuff. Hopefully, they'll speak up. NOD 32 has found nothing since.

 

Thanks for that.

I'm not overly concerned as it's a cache file which I have picked up is probably 'something and nothing' when it comes to this sort of thing.

I deleted it manually last night along with another file with an .idx extension which had the same filename.

Not sure that was the right thing to do but again, as it's a cache file, figure that it can't do much harm deleting it.

Sounds like more of a false positive to me. But as you said, what do I know. All I do know is that I can find no specific reference to it on any of the virus scan vendor websites!

As you say, someone else who has more knowledge may actually post to advise. Suppose it's always possible no one really knows

 

One thing more. When I run into this stuff I copy, paste the string into google. If no results, I incrementally shorten the string until I do.
This is how I found this site. There is info out there. Sometimes good sometimes bad. I think the folks in this string are pros as they mention clients often. It is their job to be cautious and thorough as any nonchalant actions may shut down a client's business. While a home, (non-business), user will go through inconvenience and perturbance we still make our living,
I suggest you get a large external drive (if you can afford the $100 U.S or less), and make occasional backups right after you make sure your system is clean. Then, disconnect the thing so that there is no way it can become infected. Google has a plethora of info on it; when you use the rule of thumb that a site is run by pros or you see it repeated several times with different syntax. Glad I can help.
It's nice to be the helper for once instead of the helpee. In the past, I have been learning stuff the hard way. Inconvenient as heck, but it sure does stick once you go through it.