virus in Sun\Java class

Dear friends,

Today I scanned C:\Windows|Application\Sun\Java\readFile.class;
fileInfo-class; replaceProperclassFile.class, and port25.class and AVAST quarantined JS read Password, JS file info, JS replace Prop, JS Port25. I think I am safe now. All my incoming mail is screened twice, on ISP level, through mailwasher, and scanned. Then I use Firefox browser latest version. I leave IE alone. How did this infection land on my computer, I reckon it was a drive by script installation or was it an applet. I have anti-spyware, and a functioning host file, still this java nastiness landed on my box. What do I have to do next to prevent this. Is my system compromised? Do I have to monitor port 25? My firewall did not inform me of any infringement!
Anyone more info?

greetings,

POLONUS

Do you use JAVA, do you need JAVA?

If not uninstall it. If you do use it, ensure that you have the latest version.

I don’t think it matters if you are using IE or Firefox, if there is a java element it will use the .….…\Sun\Java.… path/program.

Personally I don’t use JAVA (it is no longer installed, IE or Sun’s version) so I have it disabled in firefox and IE

Java exploits may arrive in the Java cache when visiting a site which pushes malware.

Malicious applets have been discovered in the JRE cache directory. Anti-virus programs have detected such malicious applets in the following directory:

C:\Documents and Settings<username>\Application Data\Sun\Java\Deployment\cache\javapi\v1. 0\jar\

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011).

If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer.


http://www.java.com/en/download/help/cache_virus.xml
Check the file location: if it is in Java\Deployment\cache\javapi\v1. 0\jar, then this is what happened to you.

Older versions of Sun Java were also vulnerable to exploits so it’s vital to update to the latest version AND TO UNINSTALL OLDER VERSIONS.

Download the latest version of Java JRE here:
http://java.sun.com/j2se/1.5.0/download.jsp

More info here:

http://www.geocities.com/dontsurfinthenude/java.htm

See what DavidR (the old troglodite :P) is missing at this wonderful Java site:

http://sodaplay.com/constructor/index.htm

Hi Freewheelin Frank,

I will do as you told. I will update. How to uninstall the old version in Wndows 98 SE?. What was found by AVAST is quarantined by Avast. Can I leave that there, I think so. I ran an additional on line scan by Bitdefender, and it stated the machine was all clean (some Spybot and Ad-aware files were secured by password though)
I use java in FF for searching, e.g. Karroo etc. Besides Byteverify on an previous installation, I did not have that much ill luck with Java. I changed from the Microsoft Java version to the Sun-Java machine. This is better, isn’t? Now that I run Ad-aware, HijackThis, Spybot S&D, bazooka, and a special hosts file I feel somewhat safer. How to you configure scriptrap? Do you have an idea? Thanks for your advice anyway. In firefox I always download the latest versions of all. I also delete the old install programs, if there is no further need for them. And I have a restore it program, so that I can always return to a clean windows install. What information is collected by a malicious applet if any? Is it a good thing to analyze suspicious cpl files? I am learning all the way here on this forum, mighty interesting, and also good to brush up the Queen’s English. So much for a Dutchmen eh?

kindest regards from this side of the fishing pond,

bye for now,

POLONUS

Hi, Polonus,

I’ve never used Windows 98, but according to this link, it should be the same as windows:

Start, Settings, Control Panel, and double click Add/Remove Programs

http://www.computerhope.com/issues/ch000347.htm

Yes, virus files are safe in quarantine (the ‘virus chest’.)

Microsoft Java Virtual Machine is on the way out. It will only be supported for a few more years, and is not being developed at all. A move to Sun JRE is advisable.

Not sure what you mean by Scriptrap. There is a feature of avast! 4.6 called Webshield which will block Java exploits before they reach you browser. Be sure this is enabled.

It’s important to uninstall old versions of Java JRE because a web page can choose to use an older version if it is still installed, and thus run an exploit.

Java exploits usually download a Trojan horse, to gain backdoor access to your computer or download other malicious software.

cpl files are used by a least one worm, so yes It would be a good thing to analyse any suspicious ones.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DANDI.A&VSect=T

Your regards are returned from this side of the water!

Hi FreewheelinFrank,

From what you told me in your posting you know your way around with Java a bit. So the contents of the next link might be interesting to you. The site treats our subject and probable solutions (BE AWARE DO NOT CLICK SOME LINKS TO EXAMPLE APPLETS) see: http://www.cigital.com/hostile-applets/Rube/HAMGen.java It is a generator that apparently turns malicious applets out in all sorts of variations. What to do against this? The words of the troglodyte now ring in my ears (Is JAVA safe?) I also read about clever guys (or gals for that matter) who rename dangerous java.classes so they are no longer approachable. What about that, interesting to dig a bit into this material, and certainly educating the antivirus community. ScriptTrap is a small program that alerts on executing certain scripts. Just to rethink your action. Even when you open a normal word document it alerts for instance.

Greetings,

POLONUS

Hello again Polonus,
Java code runs in a sandbox, as is not able to execute malicious actions outside of that sandbox. As long as the sandbox has no ‘holes’ it is safe to run Java code. The key to running Java safely is therefore to check regularly for updates to the Java JRE to ensure that an ‘holes’ or security vulnerabilities are patched.

I checked the site you mention and it dates from 1998. I can quite happily laugh in the face of any malicious code from that time because I’m running Java 5 update 2. However, I do of course, run a small risk that I will fall prey to some malicious code from 2005. (Especially as the latest version of JRE seems to be version 3, and I have received no automatic update or warning. Worrying!!)

Most people who fall victim to malicious Java code are using an old version of IE running a vulnerable MS Virtual Machine, like my brother who works for a major UK computing company (ok BT) who managed to download a Trojan on a work machine because it hadn’t been updated for several years. Now that really shouldn’t have happened!!

I’m prepared to take that risk because I believe the security in place is reasonable and I enjoy the features that Java provides. Of course that’s a personal choice. Personally I do most of my browsing with Firefox because I don’t think IE active content (ActiveX, jscript, VB Script) is particularly secure. ActiveX, for example, has access to the whole of your computer when it runs, as it doesn’t run in a sandbox. It relies on authors signing ActiveX controls as safe. I also allow Javascript because it adds a lot of features to web pages and I trust the security imposed by the browser, as long as I know my browser is up to date.

There are some people who recommend surfing without any active content- Java, Flash and Javascript. For me the internet would be a dull place without this content- in fact my home page and web based email would simple not work. Anybody using the internet has to weigh up the risks for themselves.

I’ve never heard of Scriptrap. It’s certainly necessary to use a script blocker if you’re using avast! home because it doesn’t block script viruses. I use Microsoft Anti-Spyware, which blocks scripts from running.
Best Wishes,

FreewheelinFrank

Hi FreelinFrank,

I tell you what I did. I went to configurations updated java to the latest version, cleansed my program files of the previous one, and after that updated Firefox to the last Dutch version, it was a couple of days after the English 1.04. I have one extra question though on the Java Console advanced settings. I installed applet for Mozilla and not IE. Where it says shortcut creation I have Prompt user if hinted or should I have Promt user (period). I wish you a nice time on the WWW, and stay away from viruses, adware, malware, scumware etc.

Yours faithfully,

POLONUS

Hello Polonus,

I have not investigated these settings myself. Interstingly, tag support is enabled for IE but not for Mozilla by default. I will have to investigate this further, but this is probably not the best time, as I am currently enjoying a can of your most excellent Carlsberg Export larger beer (brewed in the UK) and alcohol and mucking about with program settings don’t mix.

I hope you’re enjoying the same lovely evening over there we are here.

Freewheelin Frank.

Hi howdy FreelinkFrank,

Enjoy your pint. I know U.K. residents do not like theirs with the continental collar (here on the continent I mean you always have to serve 2 fingers of froth on a glass of Pilsener, and pints are very small in Holland (a “fluitje” (little flute) is a very small glass) , in England it is like in Poland they aleways have at least half a liter) and then you have a ploughman’s I suppose. (Correct me if I am wrong). So on the advanced Sun Java console settings, we discuss that topic later. All at its time. is n’t it. Have a super weekend my friend,

All the best, cheerio,

POLONUS

Hello Polonus,

I’ve been looking into the Java control panel settings, and to be honest, I can’t make much sense of them. The tag support box is ticked for IE but not for Firefox, and I can’t change the setting for Firefox. (In common with other people on the web.)

However, Java applets called by both the and tag seem to run fine in Firefox. I did come across some Java applications that ran in IE but not in Firefox, but my knowledge of Java is not enough to understand why this might be.

I also saw a reference to improved support for Firefox in Sun JRE 6.0. As this doesn’t seem to be a security issue, and most sites seem to work fine with the default settings, I’m not going to worry about them.

What does worry me is that automatic and manual update from the Java control panel didn’t tell me there was a new version available. (1.5.0_03)

http://news.bbc.co.uk/olmedia/550000/images/_552615_pint150.jpg

As to beer, every town here has (or used to have) its own brewery- In my town we used to have four- and every beer is different. Some beers have no head and some have a thick, creamy head. The most popular beer in my town has such a large head that they make the glasses an extra inch tall just for the head!

http://www.fullpint.co.uk/

A pint, by the way, is always a pint!

pint noun

1: a British imperial capacity measure (liquid or dry) equal to 4 gills or 568.26 cubic centimeters

Regretably, we also drink a lot of ‘Europiss’ lagers, and this is killing local breweries. The term refers to lagers with European names but usually brewed here in the UK, and which all taste the same: nothing like an excellent European larger.

One of my favourites, like avast!, is a Czech product. But sadly, unlike avast! it’s not free, and I usually pick up a ten pack of Europiss cans rather than pay the same for four small bottles of Staropramen. But when I go out, it has to be an English real ale, head or no head, but without the ploughman’s- I can’t stand Branston Pickle.

Regards,

FF