Re: Winfixer/ Vundo / Virtumonde Victims : Please in Security

Re: Potential Vulnerability with Sun Java auto upd

Tue, 13 Dec 2005 17:10:27 EDT

CalamityJane : Time to bump this thread again. I'm still seeing a LOT of folks who have older version of Sun Java still on their systems.! Please update your Sun Java and be sure to remove ALL older versions!!

Re: Potential Vulnerability with Sun Java auto update

Fri, 02 Dec 2005 19:14:24 EDT

JackCam614 : Hey CalamityJane ,

I realize I'm just a wee bit 'late to the game' on this topic, but I just had to add my Sincere Thanks for all of your invaluable help with this Sun Java mess.

Thanks to you, I am now running only Version 1.5.0_06, and have removed via Ad/remove Programs 3 older versions, including the dangerous 1.4.2_03.

Hugs and Regards,
...
:)Jack

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 18:42:46 EDT

Fox2 : I had 3 on 2 computers

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 17:21:53 EDT

CalamityJane :

said by jbob :

See this thread of what it looks like to have the older versions installed to see what is left over from updating.

»Updating JAVA - MS/Sun

Right! The update doesn't uninstall any old versions. You HAVE to go to the Control Panel and look in Add/remove programs and uninstall each one ...keeping the latest, of course. Most people don't realize they have often more than one older version on there. I think one poster in this long thread had like 5 versions on there he didn't know about.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 16:59:36 EDT

jbob : See this thread of what it looks like to have the older versions installed to see what is left over from updating.

»Updating JAVA - MS/Sun

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 16:49:30 EDT

CalamityJane :

said by Justakiwi :

Many thanks! :)

You're quite welcome. Let us know if you have any problems.

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 16:40:16 EDT

Justakiwi :

said by CalamityJane :

said by Justakiwi :

Error no:0x80040703
Failed to find dll function:ActPanel.IsJava2Netscape6Default

Any other way I can uninstall this? :huh:

»java.sun.com/products/archive/j2···ows.html
This page has instructions under *Troubleshooting the Installation* about that error on that version of Sun Java and how to uninstall it.

Many thanks! :)

--
"You are never given a dream without also being given the power to make it true" ~ Richard Bach

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 15:38:56 EDT

CalamityJane :

said by Justakiwi :

Error no:0x80040703
Failed to find dll function:ActPanel.IsJava2Netscape6Default

Any other way I can uninstall this? :huh:

»java.sun.com/products/archive/j2···ows.html
This page has instructions under *Troubleshooting the Installation* about that error on that version of Sun Java and how to uninstall it.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 15:31:26 EDT

Justakiwi :

said by CalamityJane :

said by 3SGTE :

Here's mine.

Those are all older verisons. You need to update to the latest and get rid of those old ones. (Especially those old 1.4.2 versions!)

I've installed the latest version but I still have an old 1.4.0_01 version showing up in Add/Remove Programs. I've tried to uninstall it but I get the following error:

Error no:0x80040703
Failed to find dll function:ActPanel.IsJava2Netscape6Default

Any other way I can uninstall this? :huh:

It is still installed - it's not just one of those "still showing in Add/Remove Programs even though it's already been uninstalled" situations.

--
"You are never given a dream without also being given the power to make it true" ~ Richard Bach

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 14:51:54 EDT

Fox2 : CJ,

I am here everyday, I am just not a big talker *lol*.

Anyway at work I already warned collegues..this forum will have a few lurkers more I guess *s*

Jake

Re: Potential Vulnerability with Sun Java auto upd

Thu, 01 Dec 2005 14:48:26 EDT

CalamityJane : Hi Jake! {{{Hugs}}} back. And thanks for spreading the word! :) Good to see you here!

Re: Potential Vulnerability with Sun Java auto update

Thu, 01 Dec 2005 14:23:02 EDT

Fox2 : Geez, thanks to this topic I installed the latest version of java AND uninstalled/removed the previous versions :)

Big HUG for C.Jane and thank you for All of yet again teaching me something.

I will spread the word around in Belgium (well my family and friends to start with *lol*

thanks

Jake

Re: Vulnerabilities with Sun Java

Thu, 01 Dec 2005 01:05:56 EDT

Blackbird :

said by caffeinator :

I'm a bit confused as to how that can be. As I post this, I'm running an old Celeron 366, 192Mb RAM, with Win98SE.

Well... because my dinosaur is older than your dinosaur? Version 1.5.0 has to be installed on Win98SE or higher... I (and a few not-yet extinct others) still run Win98FE. That leaves us with 1.4.2 versions - currently still max'd at 1.4.2_10 as of tonite. ;)
--
If God wanted us to work with electrons, He'd make them big enough to see...

Re: Potential Vulnerability with Sun Java auto upd

Wed, 30 Nov 2005 22:46:58 EDT

H2OuUp2 : ava Runtime Environment Version 5.0 Update 5 Here.

I did about two months ago notice I had three versions installed, and uninstalled all but the most current one. Now I will really watch it.

Thanks!
--
He is no fool who gives up what he cannot keep, to gain what he cannot loose.

Re: Vulnerabilities with Sun Java

Wed, 30 Nov 2005 22:19:56 EDT

caffeinator :

said by Blackbird :

At least it's encouraging that those of us with old Windows versions who cannot upgrade to Java 1.5 can at least get updated 1.4.2 versions (the latest I think is 1.4.2_10) and then dump the lower revisions.

I'm a bit confused as to how that can be.

As I post this, I'm running an old Celeron 366, 192Mb RAM, with Win98SE.

I have no problems with Version 1.5.0 (build 1.5.0_06-b05) that just updated now from the old 1.5.0_04.

I originally got the Java 1.4 with Opera, then have used the Control Panel to run updates as I find them needed.

Am I just lucky? Or why wouldn't nearly any computer be able to run 1.5 if I can on this ancient box?

*edit*

I did have to manually go in and remove the old Update 4 after updating to the latest using the installer..you'd think they would have a smarter installer than that.

-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein

Re: Vulnerabilities with Sun Java

Tue, 29 Nov 2005 17:47:51 EDT

Blackbird : Interesting... but it still doesn't address uninstalling the vulnerable old versions. :(
At least it's encouraging that those of us with old Windows versions who cannot upgrade to Java 1.5 can at least get updated 1.4.2 versions (the latest I think is 1.4.2_10) and then dump the lower revisions.
--
If God wanted us to work with electrons, He'd make them big enough to see...

Vulnerabilities with Sun Java

Tue, 29 Nov 2005 17:40:34 EDT

TK421 : Another FYI found today that I thought I'd share...

Sun Java JRE Sandbox Security Bypass Vulnerabilities

Secunia Advisory: SA17748 Print Advisory
Release Date: 2005-11-29

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software:
Sun Java JDK 1.5.x
Sun Java JRE 1.3.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java SDK 1.3.x
Sun Java SDK 1.4.x

Description:
Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system.

Solution:
Update to the fixed versions.

JDK and JRE 5.0:
Update to JDK and JRE 5.0 Update 4 or later.
»java.sun.com/j2se/1.5.0/download.jsp

SDK and JRE 1.4.x:
Update to SDK and JRE 1.4.2_09 or later.
»java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.x:
Update to SDK and JRE 1.3.1_16 or later.
»java.sun.com/j2se/1.3/download.html

Re: Potential Vulnerability with Sun Java auto upd

Tue, 29 Nov 2005 12:25:29 EDT

CalamityJane :

said by brjoon1021 :

do I just go through the add/romve programs in the control panel, reboot then install the newer version ?

Yes, that's it! :) No need to hunt for an uninstaller.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto update

Tue, 29 Nov 2005 12:14:54 EDT

brjoon1021 : forgive me for a dumb question:

I have JSE 5.0 update 4. To uninstall this one before upgrading to JSE 5.0 update 5. do I just go through the add/romve programs in the control panel, reboot then install the newer version ? Or... as is often the case, do I have to do a registry hunt or a web hunt for someone's "complete uninstall tool" ?

Thanks,

B.

Re: Potential Vulnerability with Sun Java auto upd

Tue, 29 Nov 2005 11:34:15 EDT

CalamityJane : No problem Ciderdrinker,

Yes, there are some Universities having problems with the multiple versions needed, I just hope the software that needs it isn't the 1.4.2x versions as those seem to be the ones being exploited by Vundo/Virtumonde.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto update

Tue, 29 Nov 2005 11:33:16 EDT

anon : listen to your gut instinct
»www.majorgeeks.com/download4158.html

Re: Potential Vulnerability with Sun Java auto upd

Tue, 29 Nov 2005 02:53:37 EDT

Ciderdrinker : :o

Oops ... I voted before I realised it was "people who HAVE been infected". I went for "I haven't got 1.4.2_03" - & that was the only one that I've got.

It wasn't so much a security thing, as a nightmare with WebCT chat/ Question Mark Perception & more than one version of Java. Working in a University, we invariably ended up with more than one version - and having two played havoc with software that I have to support.

So, at home I have always disabled the autoupdate, & also uninstalled before installing the new one.

We have also complained to Sun about the lack of uninstalling - I'm sure that we aren't the only University who have problems with WebCT and/ or Perception and Java versions.

Re: Potential Vulnerability with Sun Java auto upd

Tue, 29 Nov 2005 01:14:06 EDT

Nirvana8 : Can a mod please pin this thread??

CalamityJane, I've done dozens of these Vundo logs over at Aumha (MowGreens home) and every one so far has Sun J2SE 1.4.2_03 installed, example: http://aumha.net/viewtopic.php?t=16897&sid=3443c41d2ec3c53d03003bf93cb120ff

I'm using SpySweeper (lazy) to get rid of it at the moment as it seems to do the job well, any reason to stick with Atribune's fix rather?

Also, have you posted at SWI about this vulnerability as I don't see anyone there advising to uninstall the earlier versions/deleting Java folder/updating?

Best Regards, Nirvana.

Re: Potential Vulnerability with Sun Java auto upd

Sun, 27 Nov 2005 13:29:44 EDT

CalamityJane : Time to *bump* this topic again...we're still seeing victim's of Vundo with the old Sun Java version installed.
»Need help with Virtumonde....

Reminder to Update your Sun Java folks and remember to remove all older vulnerable versions!

@ MowGreen , good to see you here! Welcome to DSLR :)
Have you tried contacting Sun again? (maybe with a link to this thread as proof of your theory about Vundo and old Sun Java versions)? With over 7,600 views and 150 replies they may want to take a look at this...or I can just keep bumping it as often as necessary to get the word out.

Oh, and people who have been victims of Vundo due to older Sun Java feel free to leave your comments for Sun on this page in the "feedback" section :)
»www.java.com/en/download/faq/ind···eral.xml

They are still recommending people keep the older versions....grrrrr! :o

I just left my comment:

quote:
See this thread about older versions of Sun Java left on systems leaving folks vulnerable to the new Vundo infection in droves:
»Potential Vulnerability with Sun Java auto update

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Wed, 23 Nov 2005 16:09:18 EDT

maximusqb : Hey thanks jfly for the link it was very helpful. I didn't know I could clear the jre cache like that. These days it seems like we have to be much more security conscious than in the past. I am getting in the habit of being more cautious. I have just started using a limited account as much as possible hoping this will add to my security measures along with the usual collection of apps like a firewall, antivirus, antispyware apps and the like.
My buddy just got some virus from aol instant mesenger the other day which took him a while to get rid of. Still not sure why he insists on using aol as he has an adelphia account and still pays aol at the same time. I asked him why he still keeps aol and he said he wouldn't know what to do without his aol. Guess he is into the whole aol communtity thing lol.

Re: Potential Vulnerability with Sun Java auto upd

Wed, 23 Nov 2005 02:11:09 EDT

TK421 :

said by maximusqb :

I had js2e 5.0 update 4 installed and yesterday norton antivirus 2005 found this: \Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-56abd334.zip is infected with the Trojan.ByteVerify virus.

I removed the file and the next norton scan came up clean, then I went to the kaspersky online scanner and that came up clean too so I guess I got rid of it. I just installed update 5 after uninstalling the old version. I also got rid of old restore points too. anyone know anything about this trojan.byteverify virus from the norton site it seems to be a low threat so hopefully i don't have to worry too much about it.

»java.com/en/download/help/cache_virus.xml

Re: Potential Vulnerability with Sun Java auto upd

Wed, 23 Nov 2005 02:09:18 EDT

TK421 : There's no good reason to keep 'em all, vulnerable or not. Dump the old versions.

Re: Potential Vulnerability with Sun Java auto update

Wed, 23 Nov 2005 02:07:06 EDT

BigPoppa44 : I have the following Sun Java Versions on my WinXp SP2 system: J2SE Runtime Environment 5.0 Update 1, Update 2, Update 3, Update 4 and Update 5. Does anyone know is there any vulnerability with having updates 1-4 of this version of Sun Java on my system or should I delete Updates 1-4 and just keep Update 5.

Re: Potential Vulnerability with Sun Java auto upd

Wed, 23 Nov 2005 00:09:29 EDT

maximusqb : I had js2e 5.0 update 4 installed and yesterday norton antivirus 2005 found this: \Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-56abd334.zip is infected with the Trojan.ByteVerify virus.

I removed the file and the next norton scan came up clean, then I went to the kaspersky online scanner and that came up clean too so I guess I got rid of it. I just installed update 5 after uninstalling the old version. I also got rid of old restore points too. anyone know anything about this trojan.byteverify virus from the norton site it seems to be a low threat so hopefully i don't have to worry too much about it.

Re: Potential Vulnerability with Sun Java auto update

Tue, 22 Nov 2005 17:44:22 EDT

fatdcuk : Well all i can see around the HJT forums is one heck of a lot of Winfixer/Vundo infections with the early version of Sun Java showing up in the *HJT logs,its got to be one of the most prolific exploits recently:( and needs as much publicity as possible to stem the tide.

*HJT show the most recent version of Sun Java installed and not if the vulnerable versions are also installed unfortunetly.

Great catch CJ,WTG Gal:)

Re: Potential Vulnerability with Sun Java auto upd

Tue, 22 Nov 2005 16:49:25 EDT

MowGreen : Sun speaks with a forked tongue in regards to removing older, vulnerable versions of their JRE. From their last Security Bulletin on Vulnerability With Java Runtime Environment May Allow Untrusted Applet to Elevate Privileges
»sunsolve.sun.com/search/document···security

Note: It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages.

From »www.java.com/en/download/faq/5000070400.xml

Can I remove older versions of the JRE after installing a newer version?

It is recommended that you keep older versions of the JRE on your system. If you are running low on disk space, you can uninstall older versions of the JRE.

Pathetic. Why can't they at least give one straight answer ?:mad:

Re: Potential Vulnerability with Sun Java auto update

Mon, 21 Nov 2005 17:27:18 EDT

antiserious :
... not to hijack the thread, but this version (1.5.0_05) was the MOST difficult to install I've ever had ... I removed and installed 3 times, finally had to use THEE admin account (even my normally-used admin account would not work) and allow IT to create the folder (it rejected every folder I made, under any account, with that goofy 1722 error) ...

... I hate wrestling with software installs, it really makes me question the product's integrity and security ... and it seems Sun has some fubar'd web pages as well ...

... anyway, thanks for the heads-up Jane ... I REALLY hope there's not another one for a while, but I'm suspicious now ...

--
... "Do You Know Where Your Towel Is ?" ...

Re: Potential Vulnerability with Sun Java auto update

Mon, 21 Nov 2005 16:07:11 EDT

Blackbird : I'm curious... for us few dinosaurs out here still running older Windows versions that cannot use the Java 5.0 family, is Sun's "latest" 1.4.2_10 version also deemed by our resident gurus to still be a risk for these infections if that is all that we have installed? :huh:
--
If God wanted us to work with electrons, He'd make them big enough to see...

Re: Potential Vulnerability with Sun Java auto upd

Mon, 21 Nov 2005 13:18:25 EDT

phriday613 : Adding my thumbs up to this topic.

Informed others about this. Im going to keep a close eye on this.

Thanks!

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 12:03:44 EDT

mdoc1 : Anyway, my problem's solved, and thanks CJ and Cudni for the suggestions.

Re: Potential Vulnerability with Sun Java auto update

Sun, 20 Nov 2005 12:02:06 EDT

mdoc1 : That would be
»www.java.com/en/download/faq/5000070400.xml

Or close to it.

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 11:24:21 EDT

3SGTE : Thanks, Done!

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 11:10:46 EDT

CalamityJane : Hi dandelion! Unfortunately they still do have a FAQ page recommending keeping old versions (which is the other thing we griped about they said they would address...I guess not). Anyway, that's dangerous because those older versions are vulnerable if you happen to hit a website using that exploit, it will call up that older version of Sun Java and *poof* you're exploited.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto update

Sun, 20 Nov 2005 11:06:21 EDT

dandelion : Thanks for the information, I had kept one of the older ones and have since uninstalled it. I believe at one point, Sun Java had recommended keeping an old one due to the new one building off the older one (sorry, no longer have the link for that recommendation).
--
want to know what I'm doing? dandelion's place

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 11:02:59 EDT

CalamityJane :

said by 3SGTE :

Here's mine.

Those are all older verisons. You need to update to the latest and get rid of those old ones. (Especially those old 1.4.2 versions!)
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 10:45:50 EDT

3SGTE : Here's mine.

Re: Potential Vulnerability with Sun Java auto update

Sun, 20 Nov 2005 08:31:33 EDT

Zennest : Thanks for the warning. I had old version installed my computer (J2SE 1.4.2_03). I am just curious, do we really need Java? :)

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 05:18:13 EDT

Telly Boot : Yes, I've rebooted and every possible re... I can think of. I'm going to do some more research, but I don't want to divert further from CJ's original excellent target, which was the 'old version hoarding' of the Sun Java updates being a hidden security risk.
--
Dawn,n,The time when men of reason go to bed. (Ambrose Bierce.)

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 01:25:20 EDT

mdoc1 : Excerpt

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 01:23:42 EDT

mdoc1 : Have you rebooted your machine since you downloaded Version 5.0 update 5?

My machine defaulted to it because i didn't reboot.

Try that, then run the tests.

(And the Java pages say you only have to recycle the browser! see next post for excerpt)

Re: Potential Vulnerability with Sun Java auto upd

Sun, 20 Nov 2005 01:16:44 EDT

Telly Boot :

said by mdoc1 :

Test result box

Microsoft Corp. 1.1.4 is the Microsoft ( obsolete) Java. My machine was defaulting to it, despite having the control panel box ticked as you showed. I spent quite a bit of time trying to get the Sun Java to run, and even posted a thread on the subject a year ago, with no solution found. However my Homer Simpson method of using an obsolete tool to remove an obsolete MS Java component now causes my machine to default to an MS prompt when I go to the speed test check: to download the obsolete version which page/download does not exist. So much for that cunning workaround. I'm running Win2K, and everything has always been fully patched. Perchance I should finally upgrade to XP and that will deal with it. (Grumble! )
--
Dawn,n,The time when men of reason go to bed. (Ambrose Bierce.)

Re: Potential Vulnerability with Sun Java auto update

Sun, 20 Nov 2005 00:00:26 EDT

Blackbird :

said by jig :

the apps i've heard about tend to be interdepartmental form submission and database access apps. like a college's contracts and grants system for accounting... so, each computer in the contracts and grants division needs to have the appropriate jre installed, but they also use those computers for personal and general surfing...

If one simply must continue using security-vulnerable apps software on a high-importance computer, it becomes critically important to seal that software off from exploitation from the outside world. In your example, as a first protective measure, that probably means blocking all Internet usage from those old-Java-containing computers. There's serious risk in mixing "business with browsing" on mission-critical platforms anyway. One should also assure that the main network itself is protected as much as possible against infection that could attack elsewhere and spread over the network to exploit old Java on these critical computers. I'd consider blocking all old java folders on each affected computer from being shared or accessed over the network - but, of course, that would present operational problems if the software needing to invoke the old Java is on a remote network machine.

In the end, the safest path is probably to rewrite the relevant code modules to be version-neutral and upgrade the computers to immune Java versions. That may be costly to the school... but running the risk of chronic infections of the Winfixer/Vundo/Virtumonde variety can be even more costly.
--
If God wanted us to work with electrons, He'd make them big enough to see...

Version of Java???

Sat, 19 Nov 2005 23:47:51 EDT

amysheehan : Please disregard....dup....

:)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 23:36:09 EDT

mdoc1 : Cudni:

Your URL worked after I rebooted my machine (I never rebooted in all this time).

»/speedtest?test=1

I discovered the need to reboot after I found the Java checkbox in the Advanced tab of Internet Options in IE. It said, "Use JRE 1.5.0_05 for (requires restart)"

When I saw that, I rebooted and your URL gave the correct results.

But the verification page at the Java site STILL FAILED. The Java people I assume already knows this, as indicated in their FAQ, which says they are investigating.

For the benefit of everyone here: The correct current version is JRE 1.5.0_05 as indicated in the Internet Options box. For the Add/Remove box, it should say JRE (normal users version) or J2SE (developer's version) Runtime Environment version 5.0 upgrade 5.

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 23:25:28 EDT

kruser : CJ,
I've always wondered about this!

Adobe Acrobat was the same in Add/Remove, it always had the older versions listed but I think they have fixed that.

Thanks for the info!
I had two after I updated to the most current.

I would have had many more but I'd recently done a clean install of XP.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 22:39:06 EDT

mdoc1 : Test result box

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 22:37:39 EDT

mdoc1 : And THEN after I tried to "Get Java" (see above post) I get the page for downloading version 5.0 upgrade 5 software. I attempted it anyway, and I get that same verification test page again, but THIS time with a different result, saying i do NOT have version 5.0 upgrade 5! See the box.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 22:31:21 EDT

mdoc1 : Yes but this is the result:

it shows i have a version different than the JRE installed in Install/Remove box!

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 22:16:40 EDT

Cudni : Does this one, verification test, works
»/speedtest?test=1

Cudni
--
.. ....nothing but a well informed optimist
Help yourself so God can help you

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 22:16:21 EDT

mdoc1 : Telly try this test routine:
www.java.com/en/download/help/testvm.xml

This page shows the verification failure problem is being investigated by Java people, and the cause of the failure is unknown:
»www.java.com/en/download/help/50000413..

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 22:12:39 EDT

mdoc1 : Yes CJ that's easy... I have J2SE runtime environment 5.0 update 5

That's all the JRE I have installed, and the the online test routine (that you and I gave URLs for) fails the verification test.

As for the site dropping the cookie, I dunno if that's the problem or not.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 21:42:51 EDT

CalamityJane : Hi Telly Boot,

I swear I have read your post 5 times and I still am clueless. Microsoft put out a patch on their version which protects folks still using that one, but since you used a removal tool for it that I'm not familiar with at all, I wish I could help but I don't know what's the problem really.
Maybe something to do with this statement at the MajorGeeks link you posted?

quote:
Editors Note: The MSJVM Removal Tool is no longer hosted on Microsoft download servers. Because the MSJVM Removal Tool affects the whole system, and because these effects are not reversible, it was decided that this utility would be made available only to system administrators, to network administrators, and to other IT professionals. Unless you just found this

--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 17:48:35 EDT

Telly Boot : I'm having the same problem as MDOC, in that it is installed, and I have the little icon (blue coffee cup) but it isn't verified by Sun's tester, -nor can I run a Speed Test.
I tried the 'control panel > Java > advanced' tip by Corinne to see if that would help, but that didn't work. My machine appeared to be defaulting to the old MSVM 'Java' and this is something I tried to fix a year ago- but gave up. So, yes, I had four or five Sun Java versions installed as a result of carefully updating...! This time I knew to remove them and...tracked down the old MS Java removal tool ( MS don't support it any more) here:
»www.majorgeeks.com/download.php?det=4158
and manually removed MSJVM.
However I wouldn't recommend this action since my machine now prompts me to get java- since it and Sun detect none- despite having installed and re-installed the latest Sun Java version. I guess I have to go in and remove the last vestiges of MSJVM, since they don't make it any more- and so it can't be reinstalled.
Oh Well, at least I don't have any vulnerable versions...DOH!
So my question would be, ( and sorry for this diversion) if a machine insists on running the old MSJVM and won't run the Sun Java, is that 'resident' MSJVM still a vulnerability - on top of the old Java "updates" ?
Edit: running IE, and yes, got the Sun cookie.
--
Dawn,n,The time when men of reason go to bed. (Ambrose Bierce.)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 17:33:00 EDT

CalamityJane :

said by Duchess44 :

How do we scan for this? Is there a program like antivirus or something?

The vulnerability you mean? Just look in Add/Remove programs to see what versions you have installed. Get rid of any versions older than the latest 5.0 update 5.

If you mean scan for Vundo infection, many Antivirus Antispyware AntiTrojan programs detect it, but most are not able to remove it on an already infected computer.

As one poster above noted, SpySweeper is able to remove it on an infected PC.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 17:28:54 EDT

CalamityJane : As for the test page not working, it's probably just as easy to look in your Control Panel under Add/Remove programs and verify what versions you have installed there.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 17:23:56 EDT

jig :

said by mdoc1 :

I think rather there is something wrong with the test routine in the page. Yes, I am using IE and ActiveX is enabled.

just to add, i believe you also need to allow the site to drop a cookie on you. i'm running pretty tight here and i'm hesitant to test against my own setup, sorry.

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 15:20:16 EDT

Dude111 : I have 1.5.0_04 and it says ITS THE LATEST

Oh well

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 13:44:45 EDT

Duchess44 : How do we scan for this? Is there a program like antivirus or something?
--
»fofantasy.com

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 13:42:29 EDT

Duchess44 : I have version 1.5.0_05. I believe this is the latest one.
RObin
--
»fofantasy.com

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 13:40:41 EDT

mdoc1 : The response to feedback here is probably better than at Java. :p

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 13:36:21 EDT

CajunTek : Nice little feedback box there.. I think a lot people should provide some feedback there.. It might actually get them to do something about this and fix the darned updater...
--
Lost in Texas

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 13:32:12 EDT

mdoc1 : And THIS one actually recommends that you *keep* the older versions of JRE. And this is a *new* addition to their FAQ! :hmm:

Edited:

go here and click on the first FAQ entry which is marked new:

»www.java.com/en/download/faq/ind···eral.xml

(the entry says:
"Can I install the older version of the JRE after installing a newer version? new")

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 13:23:57 EDT

mdoc1 : Nope, that's the one that failed.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 13:20:26 EDT

CalamityJane : Try this one.
»www.java.com/en/download/windows···atic.jsp

It works for me (just tested it) :)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 13:06:57 EDT

mdoc1 : I think rather there is something wrong with the test routine in the page. Yes, I am using IE and ActiveX is enabled.

This other page tells me my JVM part of the software works!
»www.java.com/en/download/help/testvm.xml

The above link ultimately came from this link, given by a BBR member here:
»www.javatester.org/installing.html

But this page shows the problem is being investigated by Java people, and the cause of the failure is unknown:
»www.java.com/en/download/help/5000041300.xml

And it also shows a link to the very JVM test page that verified the JRE software for me.

Ah, well.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 12:34:23 EDT

CalamityJane :

said by mdoc1 :

...and when i do this, it just sits for 20 seconds and then up pops another page saying the software is not detected.

It might be that you are not using IE? And you need to allow scripts to run and ActiveX for it to detect.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 12:27:00 EDT

mdoc1 : CJ, the verification test I'm referring to is in this page:

»www.java.com/en/download/installed.jsp

...which, if you have the software installed, will show this text:

JAVA SOFTWARE for Your Computer

VERIFY YOUR JAVA SOFTWARE INSTALLATION

If you have recently completed your Java software installation, please ensure that you have completed the steps detailed in the installation instructions, including restarting your browser before testing your installation.

To test your installation, please click the "Verify Installation" button.

[Verify Installation]

...and when i do this, it just sits for 20 seconds and then up pops another page saying the software is not detected.

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 12:12:23 EDT

danny9 : Thanks Calamity Jane, once again for your help and concern in helping others.
I don't have Java installed at this time but always learn alot from your posts.
It's nice and comforting knowing there are people like you always willing to help.
You are amazing!
--
To Think or not to Think: That is the real question. VoicePulse 07/29/04

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 12:11:57 EDT

CalamityJane :

said by mdoc1 :

Failed verification again.

Not sure what you mean by failed verification. What is the exact message you are getting?

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 11:58:43 EDT

mdoc1 : Three "oops" in rapid succession... that's pretty good :D

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 11:47:55 EDT

mdoc1 : Spoke too soon. After the successful verification test, I removed all previous versions of JRE. Then retested the verification. That failed. I removed the JRE 5.0, then re-installed. Failed verification again.

Any recommendation?

I don't really need Java; I can live without it. I've seen the JRE website contents and the structure alone reflects a very messy management mindset to their software. Utter confusion.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 11:00:41 EDT

CalamityJane :

said by mdoc1 :

All is well now.

Glad to hear it, mdoc :)

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 10:38:57 EDT

mdoc1 : Oops, again. It failed because I didn't restart my browser. All is well now.

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 10:07:15 EDT

mdoc1 : Oops, I have 3 versions, each one 300MB:

Java Runtime Environment, SE v1.4.2_03
Java Runtime Environment, SE v1.4.2_05
Java Runtime Environment, SE v1.4.2_06

And I've been infected with a strain of winfixer (named Winfixer 2005, created Sept '05, and this did not have the usual BHO MSEvents line in HijackThis log). I just removed it last week successfully with Spy Sweeper (trial version); this was a one-step process.

And i just tried to install JRE 5.0 Update 5, it installed successfully but the test (onsite on JRE website) that tests for presence of JRE 5.0 failed.
Thanks.

Re: Potential Vulnerability with Sun Java auto upd

Sat, 19 Nov 2005 09:08:12 EDT

CalamityJane :

said by mers2 :

Has there been any response from Sun on this issue?

No response except for the one back in February where they acknowledged older vulnerable versions on a PC could be a risk for infection. They still have not responded to the recent request for what progress they have made to correct the issue.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 06:46:22 EDT

jig : the apps i've heard about tend to be interdepartmental form submission and database access apps. like a college's contracts and grants system for accounting...

there are tons of rules involved, and the original development took a long time, and the developers tended to not write things in compartmentalized ways, partially due to the very customized nature of the app, partially due to naivete.

so, each computer in the contracts and grants division needs to have the appropriate jre installed, but they also use those computers for personal and general surfing... and as far as i know there is no way to selectively block access to specific versions of java. i think that would be the ideal situation for groups such as these, to have a tool where they could deny access to older versions of java except when interacting with x.

Re: Potential Vulnerability with Sun Java auto update

Sat, 19 Nov 2005 01:59:00 EDT

Blackbird :

said by Dude111 :

Why would anyone leave a previous version installed once they upgrade???? ...

I think the link nirvansk815 provided earlier in the thread answers that question, albeit only very generally:
»www.java.com/en/download/faq/5000070400.xml

Because Sun Java operates in a broad digital universe, they're probably concerned that app or applet coding dependent on the specifics of some older version of Java will break if that old version and its files are removed from the host computer... and they don't want to take flak for breaking it.

So the challenge seems to be to convince Sun that the exploitation risks of retaining old Java versions on a computer outweigh the risks of breaking some legitimate app/applet by removing them. It would probably help all of us a lot to understand what such "breakable" apps might include - and whether their breakage mechanisms use valid Java coding techniques in the first place.
--
If God wanted us to work with electrons, He'd make them big enough to see...

Re: Potential Vulnerability with Sun Java auto update

Fri, 18 Nov 2005 23:12:50 EDT

Dude111 : I have 1.5.0_04 :)

Why would anyone leave a previous version installed once they upgrade???? They are so big,i always ditch the old one (To save space on my disk)

If your unsure of your version numba,you can Click here to find out :)

Re: Potential Vulnerability with Sun Java auto update

Fri, 18 Nov 2005 23:07:31 EDT

mers2 : If I'm not doing the work on the computer myself, I am now telling people to ignore Sun's instructions and uninstall every prior version on their box before installing the current update. Has there been any response from Sun on this issue?
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die.

Re: Potential Vulnerability with Sun Java auto upd

Thu, 17 Nov 2005 13:18:00 EDT

psloss : Thanks for posting about this, by the way, CalamityJane. Gonna have to be on the lookout for this now.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: Potential Vulnerability with Sun Java auto upd

Thu, 17 Nov 2005 13:09:02 EDT

CalamityJane : Thanks for the info and confirm CajunTek.

I just finished another Vundo infection in this thread:
»Virtumundo.c HJT Log

He had two versions of Sun Java.
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_05
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Wed, 16 Nov 2005 21:06:28 EDT

CajunTek :

said by CalamityJane :

Glad to hear it goalieskates! :) Remember to uninstall old versions after an update too.

Ok folks, here is yet another Vundo/Winfixer infectee with older versions of Java installed underneath the most current version:
»HJT Log: Win Fixer/Virtumondo problem?
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5

SunMicrosystems really needs to FIX this! :mad:

Yep CJ I've now seen 5 just like that.. all with uptodate java in front :) and all the old version hiding in the back..:huh:
--
Lost in Texas

Re: Potential Vulnerability with Sun Java auto upd

Wed, 16 Nov 2005 17:20:40 EDT

CalamityJane : Glad to hear it goalieskates! :) Remember to uninstall old versions after an update too.

Ok folks, here is yet another Vundo/Winfixer infectee with older versions of Java installed underneath the most current version:
»HJT Log: Win Fixer/Virtumondo problem?
Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5

SunMicrosystems really needs to FIX this! :mad:
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto update

Wed, 16 Nov 2005 07:06:15 EDT

goalieskates : Just another thank you, Calamity Jane. I had several previous versions installed. All gone now! :)

Re: Potential Vulnerability with Sun Java auto update

Mon, 14 Nov 2005 22:33:47 EDT

Dustyn : Great post CalamityJane !
This seems to be bringing a lot of worth while attention to the fact that Sun Java never seems to remove previous versions while updating. :p

VERSION: Sun Java Runtime Environment Version 5.0 Update 5

This is what I have on my system and I make sure to always completely remove the previous version. I don't use the auto-update feature as it has proved to be unreliable.

Actually, when has it ever worked correctly?! :o :D
--
"You have no idea what I am capable of. People who have tried to cross me, have lived to regret it...~Michelle Stafford (Phyllis)

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 21:44:26 EDT

NanDog : Yup, both removed and now have the current ver.

Thanks, Janie, for keeping your nose to the security grindstone! :D

I think I spend way too much time making sure this box is clean and secure but I think you make me look like a piker! (And you're doing this more for others than for yourself!!)

Many thanks!
--
See ya across the Rainbow Bridge, my good and faithful friend!

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 20:07:52 EDT

CalamityJane :

said by ravencajun :

So should I now go to add remove and remove the top 2(1.4.2_05 and 5.0update 2) and only leave the J2SE 5.0update5 ??

Thanks for always keeping us safe!!

Yes :) And you're welcome. Glad we could help, as always.

Don't worry about the voting folks. We're way beyond that and the poll part was flawed the way it was written. Right now we're just trying to get the word out about the old verisons vulnerability so ya'll are protected.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 20:04:22 EDT

CalamityJane : Glad to hear it, sailor!

And thank you for the reminder about the Google toolbar ...I need to put that in my instructions for folks to remember to uncheck the box if they don't want it.

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 19:50:47 EDT

ravencajun : OH darn I am sorry I voted too and have not had the infection. I voted that I do not have 1.4.2.03.

This is what shows up in my add remove area
Java 2 SE v1.4.2_05

J2SE 5.0update 2
J2SE 5.0update5

So should I now go to add remove and remove the top 2(1.4.2_05 and 5.0update 2) and only leave the J2SE 5.0update5 ??

Thanks for always keeping us safe!!

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 19:40:01 EDT

sailor :

said by CalamityJane :

said by sailor :

I have no idea what Sun Java even is but I believe I need it to see streaming live stock quotes that I use and that it came with me Dell...

I just looked into my Add/Remove Programs and I see 2 lines as follows:

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03 136.00MB

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06 108.00MB

Please advise what I should do, if anything...
Thanks..

(Virus scan comes up clean..No problems with computer)

Sailor,

You have the vulnerable versions on your system and are at risk. You need to get the most current version and then remove the older versions.

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 5
Please go to this link to verify your version to get the updates needed:
»www.java.com/en/download/windows···atic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software and get the updated version.

Then go to your Control Panel and look in Add/Remove programs and highlight each of these two and press *remove* one at a time:

quote:
JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03 136.00MB

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06 108.00MB

Calamity Jane,

I wish to thank you for bringing this to the attention of the community and for replying to my post to you. I appreciate your very detailed step by step instructions including the link you provided for me to be able to get the current version and then delete the 2 that were in my Add/Remove Programs...

During the steps for the Java latest installation, I followed the instructions per your reply and I was able to UN-Check the box that Sun had automatically checked for the Google toolbar to be installed on my computer....I have no desire for it and was able to see that they had checked it due to I was taking each step slowly per your instructions, I was able to catch it and take the check out of the box to prevent Sun from adding the Google toolbar to my IE...

So due to your professional assistance, I was able to Update to the latest Java and then delete the other 2....For this, I thank you!!

Sailor

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 07:44:04 EDT

CalamityJane :

said by NanDog :

In any case, I had both v1.4.2_04 and _05.

You removed them, right? Because yes, those are vulnerable versions.

said by RobertLudlum :
What is surprising to me is that malware can exploit the existing older version.

Exactly! Sun needs to fix this problem. Older versions left behind can be called up by the malware and infect your system. Sun has acknowledged this but hasn't done anything about it!
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Mon, 14 Nov 2005 07:35:58 EDT

CalamityJane :

quote:
JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03 136.00MB

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06 108.00MB

Don't worry about the voting guys. Right now the main thing is to get the word out so you all know how to correct the problem
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 14 Nov 2005 07:18:33 EDT

RobertLudlum :

said by TK421 :

Updating Java is just one of those things many people don't think about... after all, why fix what ain't broke? Even Sun Java's built-in automatic update does not work reliably.

Yet the surprising fact (for many, I suspect) is that previous Java versions remain on the box after updating to the latest version. Sun does not remove old versions apparently so the update won't delete cached applets (most users won't have any anyway).

I noticed this a while back, but I generally keep the last version around for a few hours/days while I test the newest one is working properly.

What is surprising to me is that malware can exploit the existing older version.

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sun, 13 Nov 2005 22:50:53 EDT

bpm3k : Oops... I love polls. I voted before I read your "please don't vote if you have not been infected with Vundo" part.

Remove one "I don't have any version of Sun Java" vote.

Re: Potential Vulnerability with Sun Java auto update

Sun, 13 Nov 2005 22:30:22 EDT

NanDog : Oooops...mea culpa!

I too did not notice until after I voted that you just wanted victims of Winfixer et al, to vote.

May I suggest that you put that caveat before the vote section?

In any case, I had both v1.4.2_04 and _05.
--
See ya across the Rainbow Bridge, my good and faithful friend!

Re: Potential Vulnerability with Sun Java auto update

Sun, 13 Nov 2005 22:21:05 EDT

sailor : I have no idea what Sun Java even is but I believe I need it to see streaming live stock quotes that I use and that it came with me Dell...

I just looked into my Add/Remove Programs and I see 2 lines as follows:

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03 136.00MB

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06 108.00MB

Please advise what I should do, if anything...
Thanks..

(Virus scan comes up clean..No problems with computer)

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sun, 13 Nov 2005 21:44:41 EDT

GercekSeytan :

said by mazhurg :

... remove me :o

Ditto. :o :uhh:

Re: Potential Vulnerability with Sun Java auto upd

Sun, 13 Nov 2005 19:45:46 EDT

CajunTek : There was absolutely no shame in that Bump CJ.. and their shouldn't have been.. This thing is worse than the Bube.. epidemic...

Re: Potential Vulnerability with Sun Java auto upd

Sun, 13 Nov 2005 19:43:31 EDT

CalamityJane : *Shameless bump*

But we're still seeing oodles of Vundo/Winfixer/Virtumonde infectees due to this vulnerability.

Folks, Update your Sun Java and remove any older versions They are in your control panel under Add/Remove Programs.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Potential Vulnerability with Sun Java auto upd

Sat, 12 Nov 2005 20:27:39 EDT

CalamityJane : I requested our Moderator, Wildcatboy to edit the the title to to this thread, in case ya'll are wondering. :)

It worked :D

Anyone with Sun Java installed....please uninstall old versions of Sun Java and then get the latest updates
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sat, 12 Nov 2005 20:21:00 EDT

CajunTek : See CJ's last response.. Her advice is as usual.. GOLDEN!!
--
Lost in Texas

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sat, 12 Nov 2005 20:13:47 EDT

angel_ve : Thanks a lot CajunTek the problem seem to be solved. I'll keep posting if it comes back. What advise can be given to non tech people to avoid this problem??

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sat, 12 Nov 2005 18:46:03 EDT

angel_ve : I posted the log under:

»HJT Log Virtumonde

Thanks a lot for your help

Sun Java not always listed in Add/Remove Programs

Sat, 12 Nov 2005 16:00:18 EDT

SanJoseNerd : After uninstalling two old versions of Sun Java using Add/Remove Programs, I discovered a third even older version that was not listed in Add/Remove Programs. I had to uninstall it manually in C:\WINDOWS\Downloaded Program Files.

This older version was probably pre-installed by Dell, which might explain its absence from Add/Remove Programs.

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sat, 12 Nov 2005 11:38:31 EDT

CajunTek : Start a new thread, post a hijackthis log.. We can help you clean it up.. There is another method (or two).. and another thing.. why not register here?
--
Lost in Texas

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sat, 12 Nov 2005 11:36:45 EDT

anon : I got infected. I have 1.4.1 (SAS Private Version) and 1.4.2_03 HOW DO I GET RID OF IT!?!?!?! Symantec tool not working!!

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Sat, 12 Nov 2005 10:10:34 EDT

Fieryblizzrd : I'm running version 1.4.1 and having problems removing Virtumondo... I'm planning on posting my HJT log soon in hopes someone can point out the entries I need to fix and utilities I need to run.

Re: Winfixer/ Vundo / Virtumonde Victims : Please Read

Tue, 08 Nov 2005 17:51:07 EDT

toolman12 : Just a side note for those of you that have McAfee like I do on a corporate laptop. By default the On-Access Scanner does not have "detect potentially unwanted programs" and "detect joke programs" enabled by default. According to the McAfee website this would have been the magic bullet that would have prevented me from getting the Winfixer/Vundo attack in the first place. You will have to go to "Advanced Settings" under properties to check these settings. Doh!

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Tue, 08 Nov 2005 08:22:30 EDT

CalamityJane :

said by CajunTek :

Update to CJ.. On the Vundo infections that I have worked with where the user had 1.5.. They also had one or more of the 1.4x versions as well..

Thank you, Cajun, for checking that out. That bears out the theory that the older versions are being exploited when they are not removed after an update :huh:
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Tue, 08 Nov 2005 05:55:01 EDT

CajunTek : Update to CJ.. On the Vundo infections that I have worked with where the user had 1.5.. They also had one or more of the 1.4x versions as well..

One thing to be concerned about.. When this is the case, I have yet to have the symantec fix work, The attribune fix has worked everytime.. (Sometimes in conjunction with Ewido to clean up the details)..

da cajun
--
Lost in Texas

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Tue, 08 Nov 2005 01:25:33 EDT

chachazz : May find C:\Programs:
Folder(version)\lib\applet\WMPNS.jar
which I remove manually.
--
Chachazz

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 23:31:20 EDT

jbob : Same here but some did indeed did have files present but since I've been doing this for a while now I do not remember what was there anymore. When I uninstall now I simply just delete the remaining folders afterwards without looking. Perhaps I'll load a test machine with an older version, uninstall it and check to see what is remaining.

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 23:14:55 EDT

jvmorris : Are there actual files present in these folders, or just the folders themselves? (I've no idea myself because I only had one version of the Sun JVM on any of the machines present here.)
--
Regards, Joseph V. Morris

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 23:05:28 EDT

jbob : Just an FYI but an uninstall of older versions leaves some folders intact. Not sure how this would affect things though or really of the contents. I noticed many months back of these upgrade issues when I noticed multiple Sun folders including multiple uninstall remnants in Add/Remove Programs. After I uninstall in preparation for an updated version of Sun Java now I go and delete all the leftover folders just in case.

Re: Winfixer/ Vundo / Virtumonde Victims : Please Read

Mon, 07 Nov 2005 22:09:19 EDT

hayc59 : Thanks Chazz ans updated as soon as I read this little
ditty ;):D

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 22:02:27 EDT

chachazz : Just a note -
When posting Sun Java updates, I usually follow the update details with the following suggestion:

Download the 'Offline' Update file.
Uninstall all older versions of Sun Java.
Run a cache cleaner and registry cleaner(optional)
Reboot.
Install new version.
Reboot.

The rebooting process seems to be necessary to ensure a good clean install and operation of the new version. I've never had a problem updating Java.

Current Java:
(JRE 5.0 Update 5 includes the JVM technology)
J2SE(TM) Development Kit 5.0 Update 5
jdk-1_5_0_05-windows-i586-p.exe

hayc59 looks like you need to update(?). ;)
--
Chachazz

Re: Winfixer/ Vundo / Virtumonde Victims : Please Read

Mon, 07 Nov 2005 21:45:19 EDT

hayc59 : I also accidently voted...sorry
can someone post some good setting for this?
after looking at Corrines post did not know
all those setting were available
thanks
--
ãrê ¥Øu êxpêriêncêD
9/11/01 Never Forget

Re: Winfixer/ Vundo / Virtumonde Victims : Please Read

Mon, 07 Nov 2005 21:25:27 EDT

hayc59 : Sun J2SE 1.4.2_03 is the version I have!!

Re: Winfixer/ Vundo / Virtumonde Victims : Please Read

Mon, 07 Nov 2005 20:57:43 EDT

anon : omgwtf! I had so many instances of java, removing all but the latest must have given me back about half a gig of disk space.

:o

*lobs a grenade at Sun*

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 20:33:15 EDT

TK421 : Updating Java is just one of those things many people don't think about... after all, why fix what ain't broke? Even Sun Java's built-in automatic update does not work reliably.

Yet the surprising fact (for many, I suspect) is that previous Java versions remain on the box after updating to the latest version. Sun does not remove old versions apparently so the update won't delete cached applets (most users won't have any anyway).

This thread is a great reminder to keep all components current, but even more than that, it sheds light on a possible vulnerability that is easily overlooked.

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 19:52:57 EDT

Jrb2 :

quote:
But what has happened is this thread is doing a service to all our members in getting the word out about this vulnerability of older versions left on PCs after updating that Sun will not fix!

And may I add a huge thank-you and thumbs-up to you Janie (and of course to others involved) in making everyone aware about this!!!

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 19:04:23 EDT

mrsplants : Yes I updated to update5 and then removed runtime update1.. thanks:)

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 18:52:37 EDT

CalamityJane : SqueeksDad...{{{Hugs}}} That's ok. Most folks missed that part too - not to worry. Comments are welcome from those who did have the infection as well as those who didn't.

Right now we're trying to get the word out to everyone about updating and removing old versions at this point. I may just ask WCB to go ahead and change the title and edit out the poll anyway (numbers are kinda skewered) ;)

But what has happened is this thread is doing a service to all our members in getting the word out about this vulnerability of older versions left on PCs after updating that Sun will not fix!:mad:
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 18:39:43 EDT

SqueeksDad : Darn IT!! Calamity I voted cuz I had more than 3 versions installed but did NOT have an infection, I just didn't see that part til it was too late. Sorry!
--
Ways to Relieve Stress #10. Make up a language and ask people for directions.

Re: Winfixer/ Vundo / Virtumonde Victims : Please

Mon, 07 Nov 2005 18:15:32 EDT

Corrine : After updating Sun Java, I could connect (dialup) but kept getting "page cannot be displayed" regardless of the browser I tried. My friend Mitch gave me the solution:

Go to Start > Control Panel > Java > Advanced >   tag support > Place a check in the box next to the listed browser(s). 
--
Corrine, Administrator Freedomlist; 
Proud Charter Member ASAP Since 2004 (Alliance of Security Analysis Professionals)



Re: Winfixer/ Vundo / Virtumonde Victims : Please
Mon, 07 Nov 2005 13:03:25 EDT
Pole883 : Have a great week!!

Be well........


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Mon, 07 Nov 2005 11:48:05 EDT
CalamityJane : Thanks for the feedback, Sarah!  Kinda confirms what we've been seeing.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Mon, 07 Nov 2005 11:44:27 EDT
Sarah : said by  CalamityJane  :

we think Vundo is installing by using an exploit of older versions of Sun Java when you just visit an infected webpage. Many of the systems I have cleaned up were uptodate with AV/AT/AS software and windows updates and well secured systems, except for the blasted old version of Sun Java still installed. 
That does explain my infection, at least. I had the 1.4.2_03 version installed and nothing else (it is/was a fairly new computer and that's what was installed when I got it). I'd read that it came through a link in a spam e-mail, which I knew wasn't right since I don't even think about opening spam, let alone clicking a link...
--
BEAT IT, BILL!
(The devil makes work for idle hands, but Stanford makes work for idle CPUs!)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Mon, 07 Nov 2005 07:14:20 EDT
CalamityJane : Yes, that is the webpage we have been complaining about and asked Sun to fix that because older versions are vulnerable to exploits when left on the system.  
»secunia.com/advisories/15671/
Sun has acknowledged this as far back as Feburary of this year, and said they would investigate fixing the webpages and the issue with the auto updates not removing older versions.  But to date, they have not :(

Most users are not aware that because of this their systems may not be secure. 

The most current update is listed in the original post.  And all older versions of Sun Java should be removed in Add/Remove programs.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Mon, 07 Nov 2005 01:21:12 EDT
nirvansk815 : What about this:

" General Questions 

     
Printable Version  

Can I remove older versions of the JRE after installing a newer version? 

The latest version of the Java Runtime Environment (JRE) contains updates to previous versions. There might be some applications or applets written and tested against a specific version of the JRE. 

It is recommended that you keep older versions of the JRE on your system. If you are running low on disk space, you can uninstall older versions of the JRE. 

To remove older versions of JRE, go to Windows Java Runtime Environment uninstallation instructions page. 
  
"
»www.java.com/en/download/faq/5000070400.xml

Who's right?
--
There's so much to be thankful for...How can anyone be sad?


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Mon, 07 Nov 2005 00:43:50 EDT
duaneinva : I got hit with Winfixer/Vundo 1 1/2 weeks ago, and wondered how the heck I got it.  I practice safe computing, and yet I got it.  :(

I knew I had *something* when my laptop stopped going into sleep mode when the lid was closed.  The light on the mouse went out, then came BACK ON.  All I knew is that I did not install anything at that time.

I finally got rid of it by using Hijackthis and another program that allowed the suspect .dll file to be deleted on bootup, but it was a pain.

Edit:  Using the latest Spybot and McAfee Virus -- neither of them detected it. :(

BTW, I had 1.4.2_03 Java installed, until I just installed the 1.50 Update 5.  


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Mon, 07 Nov 2005 00:13:26 EDT
heels_fan : I have 5.0 update 1,2 and 5. should i delete update 1 and 2?


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sun, 06 Nov 2005 23:57:02 EDT
jose3030 : Wow, I noticed this fact on my own today.

Uninstalled 3&4 and installed 5 today.  I still have to reboot-- but that will come later. :) 


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 19:52:32 EDT
jvmorris : Well, to just continue in that vein . . . what's with a Sun JVM update needing ActiveX to work?  It's my recollection that one of the never-ending 'advantages' of relying on Java (and especially Sun Java) was that you wouldn't need ActiveX.  But, now I still find a Sun worksite depending on ActiveX!  It got worse; without cross-site cookies and referrers enabled, I couldn't even get to the update!  This is supposed to be a 'more secure' solution?  I don't think so!
--
Regards,
    Joseph V. Morris


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 19:42:15 EDT
CalamityJane : said by  Vvian Kalyss  :

Thank you :)

I removed the 4 extra ones and rebooted, and noticed the hdd space freed. It seems that they are all self-contained and don't even share common files? I thought updating something meant modifying the older files, apparently they decided to play it safe and just made a new install every time. Bloatware :D
 
And that is exactly the problem!  A malicious website could call up one of the older versions and infect your PC.  Sun Java updates do NOT remove older vulnerable versions, even though we have bugged them about it :(
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 19:35:18 EDT
Vvian Kalyss : Thank you :)

I removed the 4 extra ones and rebooted, and noticed the hdd space freed. It seems that they are all self-contained and don't even share common files? I thought updating something meant modifying the older files, apparently they decided to play it safe and just made a new install every time. Bloatware :D
--
Mikami Vvian, resident Girlfriend of Steel, care of the Tokyo-3 Middle Daughters Club


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 19:25:14 EDT
CalamityJane : What Jack b said.

In Add/Remove programs click on these and press *remove*
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb

And leave this one alone:
J2SE Runtime Environment 5.0 Update 5 - 151.00Mb as that IS the most current version.

(Anyone notice the size of those suckers? :o )

Leaving those old versions on your PC leaves your vulnerable to exploits.  And remember to remove old versions manually on subsequent updates of Sun Java.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 19:16:12 EDT
jack b : The most current version of Sun Java is Java Runtime Environment Version 5.0 Update 5
(J2SE Runtime Environment 5.0 Update 5) 

You can safely dump all the others.
--
~Help find a cure for Cancer~ 
 ~Proud Member of Team Discovery ~


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sun, 06 Nov 2005 19:11:46 EDT
Vvian Kalyss : No vote, am not infected (afaik...). Just curious, where does the version info show up? IE -> Tools -> Sun Java Console, just displays some text. Under Add/Remove programs (Control Panel) however I see 5 items:

J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5 - 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb

Does that mean this machine has 5? If so, should I pick one (which one?) and uninstall the rest?

Confusing :(

Edit: Didn't notice the pop-under on that page. It checked and said I had the latest version. Didn't say anything about other existing versions though.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 16:58:16 EDT
CalamityJane : said by  toolman12  :

 Not sure where I picked up vundo.  Maybe off a shared drive?  I thought I had a pretty secure system on a fairly secure network.  Oh well, so much for that theory.  
No, we think Vundo is installing by using an exploit of older versions of Sun Java when you just visit an infected webpage. Many of the systems I have cleaned up were uptodate with AV/AT/AS software and windows updates and well secured systems, except for the blasted old version of Sun Java still installed.

Glad you got rid of it.  At least you know where to come if you find that you didn't and that newer version of Sun Java should be safe (for now).  Just remember when you update Sun Java to remove the old version manually.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 16:50:06 EDT
toolman12 : Calamity - Surprisingly enough I was able to remove it by doing a system restore to a point about 3 weeks back.  I then ran the Symantec tool twice following the instructions provided and it did not detect vundo.  Everything seems to be working just great now.  I did not expect things to go back to normal so easy, but I think I was just lucky.  Not sure where I picked up vundo.  Maybe off a shared drive?  I thought I had a pretty secure system on a fairly secure network.  Oh well, so much for that theory.  

Thanks for your very informative post on the subject.  I'm sure more folks will be picking this thing up as time goes on. 


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 13:24:57 EDT
CalamityJane : @toolman12 & lgkahn,

Are you still having a problem with it?  Did you try the Symantec Removal tool?
»Security »How Do I Remove Trojan Vundo/Winfixer/Virtumonde?

If, after running that you are still having a problem (in some cases it won't work), please post a new topic in the forum so we can help you.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 13:17:45 EDT
CalamityJane : said by  CajunTek  :

Yep. I suspect your right and I've asked the OP to check.. No response yet..
 Thanks! :)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 13:02:10 EDT
CajunTek : Yep. I suspect your right and I've asked the OP to check.. No response yet..
--
Lost in Texas


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sun, 06 Nov 2005 11:47:08 EDT
dliw : Thank you for this thread  CalamityJane .    Now have Update 5 installed. 


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 11:06:03 EDT
CalamityJane : said by  CajunTek  :

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
I don't know if the user also had older versions as well..
Right, Hijackthis only shows the most current version installed so multiple versions won't show.  If you can find out what other versions may have also been on that PC?  The thing is, if they had an older version on there as well, the malware could call up the vulnerable version.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 11:01:48 EDT
CajunTek : Another Note..

I have been involved in removing 5 virtumondo infections

All but 1 had 1.4.2_0X version of java except 1 it had 1.5.. 

So I am unsure if 1.5 is bullet proof..

Here are the relevant HJT lines
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
I don't know if the user also had older versions as well..

It was a double infection as well..
--
Lost in Texas


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sun, 06 Nov 2005 10:53:06 EDT
toolman12 : said by  jig  :

just for sanity,

is Winfixer/ Vundo / Virtumonde wasy to scan for? do either spybot, adaware, or avg find it?
 
I had the latest version of Spybot and it did not detect or remove it. I was, however, able to see the BHO using Spybot's advanced tools.  The latest version of McAfee did not detect it.  I did find that the online spyware scan at TrendMicro detected it and claimed to remove it, but vundo kept coming back.  Probably because I did not turn off system restore in WinXP.  

Just for the record, I did only have J2SE 1.4.2_03 installed and nothing else.  Very interesting.  I'm now upgraded and 1.4.2_03 is gone. 


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 10:49:41 EDT
lgkahn : a friends laptop had no java... fixvundo 1.4 found it but wouldn't remove it..

had to boot to safe mode and run procexp to kill the hjkii.dll or whatever it was called in the winlogon and explorer threads.. (otherwise registry keys couldn't be removed) then remove registry keys with hijakthis then use killbox to schedule the dll to be removed on next boot (even after killing the dll threads) the file was still locked and couldn't be removed or renamed inSAFE MODE)...this thing is really nasty and after all the research and time it would have been quicker to re-install...

good reason to keep weekly backups...

the person or people that did this should be shot and hung up by their nuts.

I saved a copy of the dll and even the latest symantec/norton 2005 is still not detecting it.. I submitting it to them and never got a reply.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 08:48:21 EDT
deadi : The 2 machines that I have cleaned both had 1.4.2. This is what came installed. I have noticed the old version will remain in add/remove programs if you do not manually remove it when upgrading. You also need to check IE under "Tools", "Options", "View Objects". You might see multiple versions  there also. Both have been updated to the latest. Have not heard from either. 

Another good sign of infection, the pc will run veeery slow.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 07:50:03 EDT
CajunTek : Good poll CJ.. Only a comment no vote.. No winfixer or virtumondo here.. and only one java.. Version 1.5.0 (build 1.5.0_05-b05) 

Keep doing what ya do..

(Formerly MerlynTech.. but I'm CajunTek everywhere else so....)
--
Lost in Texas


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sun, 06 Nov 2005 07:30:29 EDT
CalamityJane : @Siljaline - you're welcome.  I'm sure Mow will keep bugging them!

@jig:  Most victims either see the winfixer popups or their AV/AT/AS program has alerted them on the Vundo/Virtumonde infection, but they are lagging in complete removal.  The Symantec tool right now seems to be getting it since it was updated to v. 1.4.  If they have a double infection of it, the tool doesn't work and we have to use HJT & VundoFix (a different tool, little more complicated).  The popups it creates are really the biggest sign of an infection.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sun, 06 Nov 2005 04:01:44 EDT
jig : 
just for sanity,

is Winfixer/ Vundo / Virtumonde wasy to scan for? do either spybot, adaware, or avg find it?


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sun, 06 Nov 2005 00:26:26 EDT
siljaline : Thanks for the poll CJ, redundant installs now removed.
If only Sun would fix this issue, I'll bug Mow to keep bugging them to clean up the update process.

Regards,
--
siljaline 
MS - MVP Windows (IE/OE) & Security, AH-VSOP


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 18:37:55 EDT
CalamityJane : Thanks for your comments, mers2!

Yes, we want comments - but the actual voting is for Vundo infectees only (just to clarify).  Don't want anyone to feel they can't comment or ask a question or lend input :)

{{{Hugs}}}
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 18:31:55 EDT
mers2 : Remove me as well.  Since I saw others vote who I know haven't been infected, I did as well.  Voted using a different version then 1.4.2_03 (1.5) and I only have the one version as I am obsessive about keeping a clutter free system. :)
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die.



Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 18:23:09 EDT
CalamityJane : said by  mazhurg  :

Reminder:But please don't vote if you have not been infected with Vundo


Sorry, my fingers got way ahead of my comprehension tonight... Please remove my vote under other versions.

:o
 
No problem.  And thanks for posting to let us know.

ALL comments welcome, we just only want the Vundo infectees voting.

Feel free to leave your comments or questions here though :)
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 18:17:37 EDT
mazhurg : Reminder:But please don't vote if you have not been infected with Vundo


Sorry, my fingers got way ahead of my comprehension tonight... Please remove my vote under other versions.

:o


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 18:14:24 EDT
mazhurg : ... remove me :o


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 18:12:20 EDT
garys_2k : said by  CalamityJane  :

Reminder:But please don't vote if you have not been infected with Vundo  We're trying to educate folks, too but Steve would like to get an idea of what versions were running on current/previously infected with Vundo/Winfixer PCs only
 DOH! So sorry! I voted "None installed" becasue that's what I have, but I wasn't infected. Deduct my vote, and sorry for the confusion on my part.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 17:49:49 EDT
CalamityJane : said by  DevilFrank  :

I did´nt install Sun-Java and don´t miss it as yet.
 
Ok!  Comments are most welcome from all! :)  

Reminder:But please don't vote if you have not been infected with Vundo  We're trying to educate folks, too but Steve would like to get an idea of what versions were running on current/previously infected with Vundo/Winfixer PCs only
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 17:41:17 EDT
DevilFrank : I did´nt install Sun-Java and don´t miss it as yet.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 17:37:23 EDT
CalamityJane : You're welcome, JV!  I had a couple of old versions still on here too.  Until Sun fixes these issues, it's hard to remember to go in and manually remove the older versions after a Sun Java Update :mad:

They don't state that about removing older versions on their download webpages either.


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 17:23:37 EDT
jvmorris : CJ,

Not a victim, but I want to thank you for bringing the subject up anyway.  Each of the machines here only had one installation of the Sun JVM -- and each one was a different version! :o  

Got them all in synch now.  Thanks again.
--
Regards,
    Joseph V. Morris


Re: Winfixer/ Vundo / Virtumonde Victims : Please Read
Sat, 05 Nov 2005 16:36:54 EDT
fuzz : Had 3 and 4 installed, saw this thread, installed update 5 then removed 3 and 4.
--
fuzz


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 15:56:17 EDT
LoPhatPhuud : Thanks for the poll CJ!

I am one of those nuts that hates sysytem clutter. First time I found out that the old versions of Sun JRE were not removed, I did it manually. I only have the most recent version installed. All others gone.
--
When angry count four; when very angry, swear.

Microsoft MVP Windows-Security 2005

Gladiator Security Forum


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 14:07:58 EDT
CalamityJane : You're welcome, Mike.  Thanks for voting and I hope the extra info was a help :)


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 13:08:26 EDT
Pole883 : :D;)

Thanks Jane!!

Mike


Re: Winfixer/ Vundo / Virtumonde Victims : Please
Sat, 05 Nov 2005 12:53:37 EDT
CalamityJane : Thanks for the votes so far.  Please do reply here with what versions you have if there is more than one, please :)

Thanks!


Potential Vulnerability with Sun Java auto update
Sat, 05 Nov 2005 12:00:50 EDT
CalamityJane : [mpoll]Which version of Sun Java is installed?,Sun J2SE 1.4.2_03 is installed in Add/Remove Programs in the Control Panel, More than one version is installed, More than 2 versions are installed, version 1.4.2_03 is NOT installed, I don't have any version of Sun Java[/mpoll]

We have noticed a large number of Winfixer/ Vundo / Virutmonde Victims have an older version of Sun Java (v. J2SE 1.4.2_03) installed in Add/Remove Programs in the Control Panel. Other older or newer versions may also be installed, however, we are wanting to know if you have this version on your system.

If you've been a victim of this malware (or have been helping one), would you please take the time to answer the poll ?
Also, if you have more than one version installed, please list them in a reply to this thread.

Why do we want to know?

Fellow MS MVP Steve Wechsler (aka MowGreen) wrote to Sun Microsystems (makers of Sun Java) to express the concerns raised in the Security Community that autoupdaters of Sun Java do not uninstall previous (vulnerable) versions of the program.  He asked for clarification that if a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the system, and that those previous vulnerable versions can still be called by malware. The folks at Sun Microsystems wrote back confirming this is true and they would be investigating updating the java.com pages and the auto update uninstallation issue.  That was back in February and to date, none of these issues has been resolved.

Therefore all users are encouraged to please check in your Control Panel, under Add/Remove programs and uninstall any older versions of Sun Java.  And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

The most current version of Sun Java can be found and downloaded from here:

»java.com/en/download/windows_xpi.jsp

To check your version to see if it is the latest version, Please go here:

»www.java.com/en/download/installed.jsp

Follow the instructions on that page to verify Your Java software

Please remember to uninstall all old versions of Sun Java

According to the bulletins, CERT also warns about java bug being exploited and you can read more about it here:

»isc.sans.org/diary.php?storyid=1039

The current *fix* for Vundo/Virtumonde/Winfixer can be found here:

»Security Cleanup FAQ »Trojan Vundo/Virtumonde/Winfixer Removal

--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP  (Alliance of Security Analysis Professionals)