What's with Sun Java and viruses?

[Moe Hair]

Bootscan checks by my Avast program has been consistently finding viruses
such as the following in my Sun/Java directories such as the following:



3/26/2005 4:35:28 PM SYSTEM 600 Sign of "JS:NoCheat-2" has been found
in "C:\Documents and Settings\Application Data\Sun\Java\Deployment\cache
\javapi\v1.0\file\BlackBox.class-2ca97015-1848c13f.class" file.
3/26/2005 4:39:06 PM SYSTEM 600 Sign of "VBS:Malware [Gen]" has been
found in "C:\Documents and Settings\Application Data\Sun\Java\Deployment
\cache\javapi\v1.0\file\Dummy.class-4e92308d-1c5bde93.class" file.

Anybody experiencing the same?

 

[David H. Lipman]

From: "Moe Hair" <[email protected]>

| Bootscan checks by my Avast program has been consistently finding viruses
| such as the following in my Sun/Java directories such as the following:
|
| 3/26/2005 4:35:28 PM SYSTEM 600 Sign of "JS:NoCheat-2" has been found
| in "C:\Documents and Settings\Application Data\Sun\Java\Deployment\cache
| \javapi\v1.0\file\BlackBox.class-2ca97015-1848c13f.class" file.
| 3/26/2005 4:39:06 PM SYSTEM 600 Sign of "VBS:Malware [Gen]" has been
| found in "C:\Documents and Settings\Application Data\Sun\Java\Deployment
| \cache\javapi\v1.0\file\Dummy.class-4e92308d-1c5bde93.class" file.
|
| Anybody experiencing the same?

I haven't experienced one infected .CLASS file or a .CLASS file in a Java Jar with a Trojan
but I have assisted many who have.

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

3) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt518.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode then shutdown as many applications as possible.
6) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your platform
8) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) Create a new Restore point

* Please report back your results *

 

[Moe Hair]

* Please report back your results *

Will report back later today. I think I'll need to eat my Wheaties in
order to perform all those tasks - LOL!

Thanks for the advice. For a second I thought claymania.com was your Clay
Aiken fan site, until I saw it actually had the generic meaning.

 

[Clay]

Will report back later today. I think I'll need to eat my Wheaties in
order to perform all those tasks - LOL!

Thanks for the advice. For a second I thought claymania.com was your Clay
Aiken fan site, until I saw it actually had the generic meaning.

Heh... I've actually received a few emails from people thinking they
were contacting Mr. Aiken. FWIW, claymania.com has been around since
1997 - long before Mr. Aiken's American Idol showcase.

 

[Doc]

I've had a few in that folder, just deleted the cache, it bebuilds.

 

[Heather]

Clay Aiken fan site, until I saw it actually had the generic meaning.

Heh... I've actually received a few emails from people thinking they
were contacting Mr. Aiken. FWIW, claymania.com has been around since

1997 - long before Mr. Aiken's American Idol showcase.Little do they know that you are also a musician......and a lot cuter,
grin!!

Right, Nicky????

Cheers.....Heather

 

[d11]

I've had a few in that folder, just deleted the cache, it bebuilds.

If you install CCleaner and click on options / custom folders you can
set CCleaner to clean the Sun Java cache folder on startup so nothing
will hide there.
http://www.majorgeeks.com/download4191.html

 

[Heather]

If you install CCleaner and click on options / custom folders you can
set CCleaner to clean the Sun Java cache folder on startup so nothing
will hide there.
http://www.majorgeeks.com/download4191.html

Thanks for the info. I have always turned off the cache in Java. Got tired
of manually cleaning it out.

Cheers.....Heather

 

[Moe Hair]

Ok - did the following as per your instructions and while no viruses were
found durind safeboot, upon re-running Trend Micro's sysclean in normal
mode, Avast found the vbs.redlof virus in the sysclean.exe file, which I
understand has happened before to several people. I was able to move it to
the chest, though. I'm assuming this is a false positive - correct? I'm
running a Windows 2000 Pro OS.


Anyway, here's the only errors in the sysclean log. These errors occurred
in both the safe and normal boots. I substituted admin for the name of the
user:



2005-03-31, 08:57:50, An error occurred while scanning file "E:\Documents
and Settings\admin\NTUSER.DAT": Access is denied.
2005-03-31, 08:57:50, An error occurred while scanning file "E:\Documents
and Settings\admin\ntuser.dat.LOG": Access is denied.
2005-03-31, 08:59:13, An error occurred while scanning file "E:\Documents
and Settings\admin\Local Settings\Application Data\Microsoft\Windows
\UsrClass.dat": Access is denied.
2005-03-31, 08:59:13, An error occurred while scanning file "E:\Documents
and Settings\admin\Local Settings\Application Data\Microsoft\Windows
\UsrClass.dat.LOG": Access is denied.
2005-03-31, 09:03:59, An error was detected on "E:\System Volume
Information\*.*": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\default": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\default.LOG": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\SAM": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\SAM.LOG": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\SECURITY": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\SECURITY.LOG": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\software": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\software.LOG": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\system": Access is denied.
2005-03-31, 09:06:06, An error occurred while scanning file "E:\WINNT
\system32\config\SYSTEM.ALT": Access is denied.
2005-03-31, 09:06:49, An error occurred while scanning file "E:\WINNT
\Temp\JET3712.tmp": Access is denied.

From: "Moe Hair" <[email protected]>

| Bootscan checks by my Avast program has been consistently finding
| viruses such as the following in my Sun/Java directories such as the
| following:
|
| 3/26/2005 4:35:28 PM SYSTEM 600 Sign of "JS:NoCheat-2" has been found
| in "C:\Documents and Settings\Application
| Data\Sun\Java\Deployment\cache
| \javapi\v1.0\file\BlackBox.class-2ca97015-1848c13f.class" file.
| 3/26/2005 4:39:06 PM SYSTEM 600 Sign of "VBS:Malware [Gen]" has been
| found in "C:\Documents and Settings\Application
| Data\Sun\Java\Deployment
| \cache\javapi\v1.0\file\Dummy.class-4e92308d-1c5bde93.class" file.
|
| Anybody experiencing the same?

I haven't experienced one infected .CLASS file or a .CLASS file in a
Java Jar with a Trojan but I have assisted many who have.

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options -->
delete files

2) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache
--> clear
or
Start --> settings --> control panel --> Java applet -->
general --> settings --> delete files

3) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt518.zip

Extract the contents of the ZIP file and place the contents in the
same directory as SYSCLEAN.COM .

4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode then shutdown as many
applications as possible. 6) Using the Trend Sysclean utility,
perform a Full Scan of your platform and
clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your
platform 8) Re-enable System Restore and re-apply any System
Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) Create a new Restore point

* Please report back your results *

 

[David H. Lipman]

From: "Moe Hair" <[email protected]>

| Ok - did the following as per your instructions and while no viruses were
| found durind safeboot, upon re-running Trend Micro's sysclean in normal
| mode, Avast found the vbs.redlof virus in the sysclean.exe file, which I
| understand has happened before to several people. I was able to move it to
| the chest, though. I'm assuming this is a false positive - correct? I'm
| running a Windows 2000 Pro OS.
|
| Anyway, here's the only errors in the sysclean log. These errors occurred
| in both the safe and normal boots. I substituted admin for the name of the
| user:
| | 2005-03-31, 08:57:50, An error occurred while scanning file "E:\Documents
|


"Avast found the vbs.redlof virus in the sysclean.exe" -- A well known Flase Positive
declaration.

Not worried about those error messages. Most are open File Handles some are directories
where you need administrative rights to scan.

Sounds like the Java Script Trojans were removed and nothing else was found.