Infected: Trojan-Downloader.Java.OpenStream.w

Viruses and worms
1

Trojan-Downloader.Java.OpenStream.w is not detected by Avast. It was detected by Trend Micro On-line scan and by Kaspersky on-line scan. I deleted it with Trend Micro on-line scan. To make sure all traces were taken care of, I downloaded Kaspersky’s trial version and ran it in safe mode. For the time being I have decided to uninstall Avast and install Kaspersky trial. Once I get a response from virus@avast.com with good news ( dats with detection for this trojan) I will re-install Avast.

Report from Kaskpersky:

KASPERSKY ON-LINE SCANNER REPORT
Saturday, September 17, 2005 07:10:36
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/09/2005
Kaspersky Anti-Virus database records: 140495

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\Documents and Settings\Alex\

Scan Statistics
Total number of scanned objects 17015
Number of viruses found 1
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 500 sec

Infected Object Name Virus Name
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-1158dae9.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w

C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-1158dae9.zip Infected: Trojan-Downloader.Java.OpenStream.w

C:\Documents and Settings\Alex\javainstaller.jar-3c936701-1158dae9.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w

C:\Documents and Settings\Alex\javainstaller.jar-3c936701-1158dae9.zip Infected: Trojan-Downloader.Java.OpenStream.w

Report from Trend Micro:

Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 1 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible

Detected File Associated Virus Name Action Taken
C:\Documents and Settings\Alex\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-1158dae9.zip

  • javainstaller\InstallerApplet.class JAVA_BYTEVER.R
    Deletion successful
2

so… its sorted now? right?

3

Ricky,

I have been able to clean it but Avast will not detect it until it’s added it to the virus detection. I am running Kaspersky trial for now. My Avast subscription has a few more months before expiration but it’s not worth running it if it does not get the job done.

4

well some admin will read this i think and then he’ll do it in the next version i think :S i hope they do cos i use avast and i think its the best but if it does do what it is … i dont know if i do or not

5

Hi Ricky,

Well I have read that some other AV products can recognize it for what it is, but do a bad cleaning job. There is a big difference between recognizing a threat or cleaning or isolating a threat. AVG seems to recognize it now, avir cleans it, Nod32 too. I like to hear what Tech has to say on this one missed apparently. Did littlpr1 upload it to the avast virus guy?

greets,

polonus

6
I have been able to clean it but Avast will not detect it until it's added it to the virus detection. I am running Kaspersky trial for now. My Avast subscription has a few more months before expiration but it's not worth running it if it does not get the job done.

And if noone (you) don’t send the sample to Alwil, how do you expect them to add it to the vps?

7

Good remark Eddy. That one homes in.

polonus

8

Guys,

I did send the virus file to virus@avast.com. Lets just hope they add it soon. I want my monies worth.

9

Hi littlepr1,

Good you did, and I hope for us all it is soon included for the benefit of all, and to get you back on board. You should understand though that this is a problem that all AV products share. They are always out for the last new malware. They are never really fully up to date, and unfortunately but rarely some people are so unlucky to become a victim of the vulnerability gap. An important thing I learned from bob here in the forum is to always have a second opinion on board, in our case ClamWin open source non-resident. It is daily updated and it is there for completion and closing the vulnerability gap. If you use system monitoring and script checking I am sure you are aptly protected. Because talking honestly to you the days that a good AV product and a FW were your only lines of defense, are surely gone forever. New threats are on the horizon, there is adware out there, spyware, scumware, hidden API hooks invisible memory forsaken rootkits, you really cannot sit there behind your keyboard without a multilayered defense, and then still you have the chance to be taken by surprise. And in that case we are here. We together can get each other out of any mess. You are not alone any longer. Avast is something special it has the extra touch…

greets,

polonus

10

i think they will :slight_smile:

11

Beware pop-ups like these:

http://donaldbroatch.users.btopenworld.com/javapopup.jpg

Click ‘yes’ and open the gates of hell!

Openstream.T is Java applet based trojan downloader, that will download and execute a trojan that will download spyware and adware into the system.

Openstream.T comes in a signed Java JAR file, that will download and activate if user uses a web browser that supports Java. Before letting the trojan to execute the Java runtime, will ask user whether he wants the signed Java application to run.

If user answers no, the trojan will not execute.

If user answers yes, the trojan will download an Win32 EXE trojan that will download further trojans.

Openstream will run basically under any browser which supports Java, and probably also under other operating systems than Windows. However as the only payload the trojan has is downloading Win32 EXE, the trojan is harmless in other operating systems than windows.

http://www.f-secure.com/v-descs/openstream_t.shtml

http://www.viruslist.com/en/search?VN=Trojan-Downloader.Java.OpenStream.w

Any ByteVerify infected files can simply be ignored and deleted from the Java cache, assuming of course that browser and OS are up to date.

http://forum.avast.com/index.php?topic=13435.0

12

Hi FreewheelinFrank,

good info, thanx

polonus

PS That is why I use NoScript in FF. One of the reasons for this.

13

polonus,

Thanks for the response. I understand what you are saying. I am pretty savvy at cleaning systems on my own so I really was just venting by the fact that this baby has been around for a while now so I expected Avast to be up-to-date. I first learned about avast about a year ago when I needed a free version to help a friend get rid of some nasty buggers and I liked it. Once my Symantec ran out I purchased a License and have had avast running now for almost a year and have never had it miss anything until now. Oddly enough it’s probably been there for a while but since I have a dual boot, I mainly surf Linux style. Then my cd/dvdrd dl drive stopped reading/writing cd’s so I had to send it out for repairs. Before sending it out I backed up my stuff and ran some scans to make sure it was clean of viruses that could have been locking up the drive. To my surprise nothing was found so I decided to make sure by running some online scanners. That is when I found this bad boy. The rest of my ordeal you guys already know about. I was able to clean it. Laptop has been shipped for cd/dvdrw dl replacement.

Thanks again,

14

Hello littlepr,

Sorry to hear this story. Some are just unlucky, and this time it was you. I have been too. Once I had an awful hidden beast, that ruined my comp. Only could restore the sys using fiddling the arrows and the F8’s. Now then my little old boy, you sure know what the situation is like. Could save my data mainly by using the Nero burner from as Linux Windows install. Then I did a fresh re-install, after that I joined the Avast forum, because I decided I would not like to experience this again. I shied away from the big AV products because they are too consuming and once Norton stalled my system at work because of wrong Verisign certifications, causing it checking and checking and checking. A lot of people were turned to McAfee that way. I have grown to be a fan of Dr. Web’s link checker plug in in FF on their bi-hourly updated server in St. Petersburg, amazing prevention they offer, and only 10 KB of plug-in install. The online non-resident scan of Bitdefender suits me well, and as a non-resident scanner aboard I use ClamWin, works well as a second opinion next to Avast resident scanner, and has a good update rate, besides I cannot say a bad word about people behind good open source. Well that is it from me here, stay with us for the mo.
We need people like you here in the forum,

greets,

polonus

15

hello, curiously, i made a scan this morning (20 september 2005) with trend micro on line…and it found this trojan : “TROJ DLOADER.WS” …non cleanable by trend…i deleted it manually, because avast was unable to find it!!!..and i have all the upgrades!!..i don’t know if it’s the same troj that was describe here but , i please Avast to do something to make his software able to find this and able to clean it next time!..

16

guillard,
can you please resize your avatar to something smaller, like this: