Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Older Java/Adobe infection


  • Please log in to reply
5 replies to this topic

#1 sara08

sara08

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 08 February 2010 - 12:17 AM

I use Vista Home Premium and IE

A few days ago I visited Google news and clicked to open a few news sites that appeared very legit (NY Times, Forbes, some others can't remember) and was notified by Norton of an attack: Bloodhound.Exploit.193. The file was located in c:\users\me\appdata\local\microsoft\windows\temporary internet files\low\content.ie05\3mtxe48n\inwas[1].swf and was removed

After that I did a full scan with Norton (don't know why it wasn't automatically discovererd) and found Trojan.ByteVerify (in onechunks.class???) located c:\users\me\appdata\locallow\sun\java\deployment\cache\6.0\27\78b51b5b-7ed2193a and it was quarantined

I haven't had any problems with my computer, besides being a little slow, but I have a slower dial up connection. I uninstalled my older Java and Adobe, but noticed that they are still located in my appdata files. I am also very concerned because it appears that many of the files have been modified very recently (some today). I used Norton File Insight to check the suspicious files, and results were Very Few users, Very recently created, Unproven-not enough information, which I find odd for Java or Adobe files.

I want to get rid of these programs now. But I just want to make sure that I can delete them safely.

Thank you for any help!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 PM

Posted 08 February 2010 - 11:45 AM

Java.ByteVerify is actually a method to exploit a security vulnerability in the Microsoft Virtual Machine that is stored in the java cache as a java-applet. The vulnerability arises as the ByteCode verifier in the Microsoft VM does not correctly check for the presence of certain malformed code when a java-applet is loaded. Attackers can exploit the vulnerability by creating malicious Java applets and inserting them into web pages that could be hosted on a web site or sent to users as an attachment. Trojan Exploit ByteVerify indicates that a Java applet - a malicious Java archive file (JAR) - was found on your system containing the exploit code.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality.

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer. See: here.

A number of anti-virus programs (AVG, eTrust, Pest Patrol, etc) and scanners will find Java/ByteVerify but cannot get rid of them. If you have the Java-Plugin installed, then deleting them from the Java cache should eliminate the problem. The Java Plug-In in the Control Panel is only present if you are using Sun's Java. If you don't have the Java-Plugin installed then just delete the files manually. The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

Recommended Solution:
• If your using Sun Java, follow the instructions for Clearing the Java Runtime Environment (JRE) Cache.
• If your using IE, Netscape, Mozilla, Opera, or AOL, follow the instructions for Clearing your Web Browser Cache.

Norton Internet Security/Norton Anti-virus has the ability to detect unknown viruses of various types using heuristic algorithms known as Bloodhound Technology. According to Symantec, Bloodhound.Exploit.193 is a heuristic detection for files attempting to exploit the Adobe Flash Player Multimedia File Remote Buffer Overflow (BID 28695). Under the Technical Details tab, Symantec indicates files that are detected as Bloodhound.Exploit.193 may or may not be malicious and asks that you Submit Virus Samples detected as this threat to the Symantec Security Response Team.

Symantec's technology uses an expert system to analyze the cataloged behaviors and assess the likelihood of viral infection. Bloodhound is not the name of a virus, but a message displayed by NAV when it thinks it may have found a new virus which is categorized as Exploit, Packed variants in their defintion files.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" if virus detection technology (AutoProtect Settings) are set to High for Bloodhound and the heuristic analysis flags a file as suspicious or infected that contains no malware. You may want to Reset Bloodhound to default settings and try scanning again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sara08

sara08
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 08 February 2010 - 09:06 PM

Thank you for taking the time to answer my question. I lost my previous computer to a virus and can't afford to lose my laptop. I guess I'm a bit paranoid, but wanted to make sure I could delete the files safely. Also I am getting alot communication blocks from my firewall from the same three isp's, all located in China (within 10 minutes apart all day long). I deleted every single Java and Adobe file I could find. And I don't know if I want to download the latest versions. Are they REALLY safe this time? There were alot of applets, but hopefully you are right and the were not activated.

As I was going through my appdata folder, I found a file c:user\appdata\roaming\microsoft\network\connections\Pbk\rasphone. It was actually a duplicate of another one that was located in a hidden folder and was modified three days ago. Should I be concerned?

Also in the same folder c:\user\appdata\roaming\WKLNHST.dat? Modified three days ago

Finally, c:\user\appdata\locallow\microsoft\internet explorer\TABICONCACHE.dat? Modified two days ago

I googled these, and came up with mixed responses. Maybe I should just do a hijackthis log so I'll feel better. :thumbsup:

Thank you again!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 PM

Posted 09 February 2010 - 09:54 AM

I deleted every single Java and Adobe file I could find. And I don't know if I want to download the latest versions. Are they REALLY safe this time?

Most vendors try to update their programs when vulnerabilities are discovered so the latest versions are normally the safest to use. However, there is no guarantee an attacker will not look for new ways to circumvent security and exploit any program to achieve their goals.

I am getting alot communication blocks from my firewall from the same three isp's, all located in China (within 10 minutes apart all day long).

A firewall controls network traffic and serves two basics purposes:
  • Prevent incoming communications that you did not request from entering your computer;
  • Monitor what programs on your computer are allowed to communicate out.
The firewall does this by enforcing an access control policy to permit or block (allow or deny) inbound and outbound traffice. Thus, the firewall acts as a central gateway for such traffic by denying illegitimate transfers and facilitatint access which is deemed legitimate. The goal of the firewall is to prevent remote computers from accessing yours and provide notification of any unrequested traffic that was blocked along with the IP address. keep in mind however, that a firewall is not a panacea to solve all of your security problems. If you will open ports through your firewall to allow access to an infected machine, then the firewall is no longer relevant.

If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer.
Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it

It is not unusual for a firewall to provide numerous alerts regarding such attempted access. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion. If your computer is sending out large amounts of data, that can indicate that your system may have a virus or a Trojan.

If the alerts become too annoying, you should be able to go into your firewall settings and turn them off (Hide notification messages).

To check whether or not the port in question is open on your system you can use netstat from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
You can use Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity or various network traffic monitoring tools for troubleshooting and malware investigation.

You can investigate IP addresses and gather additional information at:
Rasphone is related to Remote Access Phonebook -> see here.

tabiconcache.dat and frameiconcache.dat are often seen in the C:/Documents and Settings/username/Local Settings/Application Data/Microsoft/Internet Explorer folder. I cannot find any information on either of those data files. I see a lot of helpers remove WKLNHST.dat but no information to indicate it is bad or what program was responsible for creating that file. Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 sara08

sara08
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 11 February 2010 - 12:43 AM

Thank you for answering my questions so quickly and for all of the information. It was very helpful. I will download the latest versions of Java and Acrobat. I used the command prompt and found four connections, but none were my local internet provider isp. One was from Netherlands. However, it would not let me enter netstat command again, but would just produce the prompt again.

So, I restarted computer and used the netstat -a, and netstat, and now it is connected to Google isp in Mountainview CA Established_Connection (twice), and someplace in NY is listed as time_wait (once). When I try to use the command again it just says Active Connections, but doesn't provide any information. Was my connection hacked by Google?

Thank you!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,948 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 PM

Posted 11 February 2010 - 05:34 AM

There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Caution: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity. For a list of TCP/UDP ports and notes about them, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users