Virus or whatever delivered through Java using Firefox

I wanted to share this with the community. I wanted to investigate an app called Hacker Defense suite. I googled for it and upon clicking one of the website's titles I recieved a virus - just by visiting the site.

I have confirmed this by disabling Java in Firefox and did not receive a warning - enabled it and again received the warning.

Screenshot: http://img31.exs.cx/img31/3289/virus9qe.jpg

 

Are you talking about a rootkit trojan called Hacker Defender? Its a very deadly trojan, its a rootkit. Why did you take the risk by going to the trojan's website?

 

First, if you are going to visit the underbelly of the web and the crack/warez sites, always disable Java and Javascript. Do you have the latest SUN Java Runtime Environment? It is JSRE 1.4.2, there is also a beta 1.5. - What AVAST found may, but is probably not legit. There IS an exploit for earlier Sun JRE versions, but most of these classloader hits are false positives. Do you have other security software to check it with? An anti-Trojan would catch the legit classloader problem. You might try McAfee's free Stinger app and an online scan or two from Trend or McAfee. Let us know. If you're clean from the others, it was a FP from AVAST. But, better safe than sorry. This is an easy FP that is just now getting cleaned up by all of the anti-malware programs, though actually the real thing is extremely rare. Good luck.

 

No, i'm talking about a virus distributed through Java. But as for as the app I was looking into:

 

Lynch, See my post above and let us know. I'm very interested to know if this was a classloader trojan or a js.classloader false alarm. Thanks. BTW, the screenshot looks like you clicked on a link, not for the program, but for a crack for the program. Those places can make for dangerous surfing.

 

For one, there is no indication that it's a crack site or "underbelly of the web" It is the application's website.
I'm using Java 1.5.0-b64
I checked at jotti's - reported possible malware because of packers and length of time in sandbox. (the app itself, not the virus reported)
I'll go check to see if it's quarantined

**edit - I was wrong about it being the apps website. This website start off as tmr.net[edited] - still no way to tell what kind of site it is.

**edit - I went back to the site and put it in Avast virus chest (loaderadv303.jar-12be7432-7b67d684.zip) - I went to jotti's - here are the results:

 

Just so you know, I wasn't being serious about your surfing habits. That's why second post was saying you probably clicked on a link not for the program itself, but for a crack. It's easy to do and I didn't mean to say you were a careless surfer. Those sites are notorious for droppers and malware of all kinds. I'm going to look more into this and if I don't fall asleep I'll write back. If you really are infected, you need first aid right away. Do you use System Restore? Have a recent image you can slap on? The image would be a quick, painless way to rid yourself of this. I use a program called "Deep Freeze" which after a reboot, I am back to a perfect state. It actually renders most all other security software obsolete. Some people say it takes the fun out of messing with the security apps, but I'll gladly take the trade. I'll have to post a thread about it soon and share how I have it setup with all data on a separate partition and programs/OS frozen on C drive, any problems no matter how bad, I'm a reboot away from being back to my perfect system state byte-for-byte.
Gerard

 

hehe, I was careless in clicking the second link in google - thinking it was the application's website. Anyway, if you look closer at my post, it's in a zip file. I am not infected. Java allowed delivery of a zip file containing whatever it is without browser knowledge.
I have an app called Winrollback that is similar - you have to disable it if you want to install anything though because when you reboot, it reverts back to when the computer was first protected. You can delete important files, get viruses, etc with no effect

I think this is what some electronics stores and costco uses because i'm guilty of doing some pretty nasty stuff to demo computers (educational purposes only) - only to see them working later.

 

Where are the official websites for DeepFreeze and WinRollBack?

 

So being that i'm using Java 1.5.0-b64 - we still got problems - should Sun be notified?

 

I may have spoke too soon. I rebooted this morning and many apps I allow to open on startup failed to start and/or failed to show up in tray. ALL of my security apps failed to show up in tray. Some are visible in taskmanager however. I had to manually start Process Guard and Prevx. Avast showed in taskmanager but not tray - Outpost as well. The curious thing about Outpost is the fact i'm using IE for an online virus scan but it's not indicated in Outpost. IE is shown as "System"?

http://img54.exs.cx/img54/4323/out8ax.jpg


************edit********

Yep, i'm infected I think. So far:

C:\WINDOWS\system32\APIHookDll.dll - PWS:Win32/Hooker.P -> Infected

All security apps failed. I should have been using "Winrollback" I would not be having trouble right now this is a true "drive by" infection that Firefox has no protection from - other than turning off Java.

Most all my startups are missing. Does anyone know what I should do?
http://img9.exs.cx/img9/8352/startups9lo.jpg

 

I system restored back to normal

 

You may be interested in alerting the search engine you used about this.

Jimbob

 

I don't think google can/will do anything. There are probably 1000's of questionable sites - take one down another will pop up.