dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1911
share rss forum feed

Hotch

join:2012-06-12

1 edit

General Malware question and issue for my info

Say you get an email on your Gmail account. All that is in the body of the text is a link. Nothing else. The email is addressed to a variety of people of which I am just one.

My Antimalware on my Mac immediately in real time warned me about it saying it was a potential serious threat. The sender appeared to be someone I know well. The security program labeled it as a “HTML:Refresher-A [Trj]. It’s obviously a Trojan. I naturally deleted the email without opening or clicking on anything.

Some investigation by me revealed that at least one thing it does if activated is go and steal the email contacts from one’s address book and then email everybody.

It is my understanding that an email in of itself cannot infect your machine if you don’t click on any links or open any attachments. Just delete it and you are OK. Am I correct?

I then fired up the PC and ran a full scan and discovered the following virus or infection: Java/CVE-2012-057.cg

I had MSE delete it. I then ran Malwarebytes and Superantispyware Professional just to double check. Hey, you have to be more careful with Windows than OS X.

Any theories on how I picked up the “Java” bug and what it was designed to do? I really don’t use my PC very much. I’m 90 percent plus on the Mac.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
A virus just sitting in a file does not constitute an 'infection', whatever anti-virus software might say. It's just bits.

I don't know how Gmail stores its email. Quite possibly the body of the message is still sitting around in a file on your PC even when deleted. It doesn't matter, it's just bits: but your A-V software can still find it.

As to whether email can infect your machine if not "opened" - well, it depends (a) on your email reader's definition of open - if it processed the body of the email in any way, it could have obeyed the viral code (example: Outlook Express 'preview pane' - most people didn't think of that as "opening" a message), and (b) whether there are exploitable bugs in your email agent. But having scared you with all that possibility: no, generally not: I wouldn't worry about it, assuming you're reasonably recent with updates.


Oregonian
Premium
join:2000-12-21
West Linn, OR
Reviews:
·Comcast
reply to Hotch
said by Hotch:

Say you get an email on your Gmail account. All that is in the body of the text is a link. Nothing else. The email is addressed to a variety of people of which I am just one.

This seems to be going around. I received one of these emails from a friend. I did not click on the link. My wife has received three such emails and did click on the link the first time. I have scanned her PC and found no infection. We use Comcast's Norton Security Suite (Norton 360).


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Hotch
don't be shy and post the link but don't make it clickable. Let's see if it can be tracked down and maybe we can also determine how it is generated.

Hotch

join:2012-06-12
said by Name Game:

don't be shy and post the link but don't make it clickable. Let's see if it can be tracked down and maybe we can also determine how it is generated.

Here is the link without the http and www part:

Payamtools.com/efkcnsd.html?rwaz=lxqvpi

This was the email generated exploit that I got through Gmail on my Mac.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Hotch
Also I think the exploit was Java./CVE-2012-0507.cg is that correct ? and you just have a typo there ?

»www.virustotal.com/file/c5ccd70f···nalysis/


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Hotch
I clicked it. It's just a website trying to sell some weight loss pill. And the funny thing is they disguise the site to look like FoxNews.com and then say in their article "We here at Fox News." lulz
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999

Hotch

join:2012-06-12

1 edit
reply to Name Game
Not sure what you mean about the typo but that is bug that was on Windows. The MSE link to explaining more info said that as of yesterday there was no additional information about that critter.

Regarding clicking on the one that was just a link it seems clear that it stole email addresses somewhere in the process.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
You said it was

" I then fired up the PC and ran a full scan and discovered the following virus or infection: Java/CVE-2012-057.cg"

the typo was the fact the exploit was Java./CVE-2012-0507.cg
and there is a lot of info about it..from other vendors...

BTW MSE can't even totally get rid of it..see here

»www.sevenforums.com/system-secur···der.html

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Hotch
Read more about CVE-2012-0507 here..and BTW that one was the O day flaw with MAC's

If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

The exploit targets a bug in Java (CVE-20120-0507) that effectively allows the bypassing of Java’s sandbox, a mechanism built into the ubiquitous software that is designed partly to blunt attacks from malicious code. Microsoft’s Malware Protection Center warned last week that new malware samples were surfacing which proved highly effective at exploiting the flaw. Microsoft says the samples it saw loaded the ZeuS Trojan, but thieves can use such attacks to install malware of their choosing.

According to posts on several underground carding forums, the exploit has now been automatically rolled out to miscreants armed with BlackHole, by far the most widely used exploit pack. An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed, and Java is almost universally the most successful method of compromise across all exploit kits.

According to software giant Oracle, Java is deployed across more than 3 billion systems worldwide. But the truth is that many people who have this powerful program installed simply do not need it, or only need it for very specific uses. I’ve repeatedly encouraged readers to uninstall this program, not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

Case in point: On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java. I have not seen firsthand evidence that proves this 0day exploit exists, but it appears that money is changing hands for said code.

If you do not need Java, junk it; you can always re-install it later if you need to. If you need Java for a specific Web site, I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox (from the Add-ons menu, click Plugins and then disable anything Java related, and restart the browser), and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

The Java latest versions (which patch the CVE-2012-0507 hole) are Java Version 6 Update 31, or Java 7 Update 3, released on Feb. 15, 2012. Please note that if you disable the Java plugin from a browser, the next time you update the program, you may need to disable it again, as Java tends to re-enable itself with every security update.

Update, March 28, 3:48 p.m. ET: Marcus Carey, a security researcher at Rapid7, adds a bit more perspective on the severity of the situation with this exploit. He estimates that upwards of 60 to 80 percent of users probably are not yet patched against this flaw. Here’s what he wrote:

Anytime an exploit, such as one for CVE-2012-0507, is added to mass exploit kits it goes from being a “hypothetical risk” to becoming a real risk. This particular exploit can be found in the widely used BlackHole Exploit kit.

Based on the Java patching habits of 28 million unique Internet users, Rapid7 estimates that 60-80% of computers running Java are vulnerable to this attack today.

Looking long term, upwards of 60% of Java installations are never up to the current patch level. Since so many computers aren’t updated, even older exploits can be used to compromise victims.

Rapid7 researched the typical patch cycle for Java and identified a telling pattern of behavior. We found that during the first month after a Java patch is released, adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, we found that more than 30% are patched. We determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.

Since this is only about a month since the patch was released (February 15), it’s likely that only approximately 10% of users have applied the patch.

»krebsonsecurity.com/tag/cve-2012-0507/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Hotch

join:2012-06-12

2 edits
I just fired up the PC. I opened up FireFox. It gave me a screen that was blank except for the middle where it showed a FF plug-icon with the following message in a square or rectangular box:

Another program on your computer would like to modify Firefox with the following add-on: Java Console 6.0.33 Location C:\Program Files (x86\Mozilla Firefox)

(A caution sign) Install add-ons only from authors whom you trust. I then have a box that is unchecked. If I check it the add-on will be installed.

ADDENDUM: I checked my current add-ons in FF and regarding Java all of the plug ins are version 6.0.330.3

So what does this mean other than it what it says at face value.

I also opened up IE9 to double check the installed version of Java is the most current. It is.
It says below that You can always change your mind at any time by going to the Add-ons Manager.

I then can choose to click continue

The “address” for this screen is: about:newaddon?id={CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}

I checked and found that I have the most current Java installed.

Also ran a full Malwarebytes scan and it was clean.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
It means either MSE, if that what you used for a full scan, or some other AV program you might use..cleaned off some stuff that was legit and it was a false positive or you still have problems. But you are in the wrong place for expert help since you are just posting stuff in bits and piece with no real logic. Therefore you should but getting help from this forum..

»Security Cleanup

After you have followed all the instruction for the logs needed..then Lo Phat Phuud or someone else will help you fix it right.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Hotch

join:2012-06-12
said by Name Game:

But you are in the wrong place for expert help since you are just posting stuff in bits and piece with no real logic.

*cough* *cough* Astonishing statement given the content in the totality of my posts in this thread.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
Yes well it goes this way.. you posted this

"Another program on your computer would like to modify Firefox with the following add-on: Java Console 6.0.33 Location C:\Program Files (x86\Mozilla Firefox)" and that does not help since it is just a location..

but if it come out that it is really this...

\Sun\Java\Deployment\cache\6.0\33\611df761-11822790

then that one is

(Trojan.FakeMS)

That is why an expert needs to look at the logs you would be posting in that other forum.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Hotch

join:2012-06-12
Thank you for your advice and help.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Hotch
said by Hotch:

I just fired up the PC. I opened up FireFox. It gave me a screen that was blank except for the middle where it showed a FF plug-icon with the following message in a square or rectangular box:

Another program on your computer would like to modify Firefox with the following add-on: Java Console 6.0.33 Location C:\Program Files (x86\Mozilla Firefox)

(A caution sign) Install add-ons only from authors whom you trust. I then have a box that is unchecked. If I check it the add-on will be installed.

ADDENDUM: I checked my current add-ons in FF and regarding Java all of the plug ins are version 6.0.330.3

So what does this mean other than it what it says at face value.

I also opened up IE9 to double check the installed version of Java is the most current. It is.
It says below that You can always change your mind at any time by going to the Add-ons Manager.

I then can choose to click continue

The “address” for this screen is: about:newaddon?id={CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}

I checked and found that I have the most current Java installed.

Also ran a full Malwarebytes scan and it was clean.

CLSID: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
Name: DPF
Filename: jinstall-1_6_0_33-windows-i586.cab
Description: Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site

»www.java.com/en/download/installed.jsp
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Hotch

join:2012-06-12
Thanks for the post.

Simply FYI, before I saw your helpful post I figured out the problem was being caused by older versions of Java still on my computer in addition to the newest version, which I also had installed.

So I just uninstalled all Java and then reinstalled the latest version and that resolved the problem.

All the evidence indicates MSE removed the infection completely. Afterward the system also passed a full Malwarebytes scan, and a quick scan by antisuperspyware professional.

In one forum that you linked in an earlier post, an interesting post was found there. The poster said he had the same infection that I did but MSE didn't get rid of it...but he was vague on that as far as details.

He then linked a site that offers a free software program to remove all out of date Java. I clicked on the link to the site and WOT went crazy. In all categories with lots of reviews WOT said the site was bad with a either a "high degree of confidence or an "extremely high degree of confidence."

Thank goodness that I have choice between a Mac and a PC at my discretion.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
Yes..watch out for links you might find in other forums..trying to go too deep might load you up with other crap to clean off. For now just make sure you don't have any rootkit hidden..Malwarebytes is good stuff for sure..but will still tell you Lo Phat Phuud can look deeper with a few other tools if you are not confident all is OK.

JavaRa is a safe tool and it does remove all the older stuff. I would use that and do.

It is free
Windows Binary (.zip) Version 1.1.6
»singularlabs.com/software/javara/

and here is the new version..it is still beta but I use it..
JavaRa 2.0 beta #3 requires that the Microsoft .NET Framework 2.0 (or newer) is installed.

»majorgeeks.com/JavaRA_d5982.html

Hotch

join:2012-06-12
Not taking sides, just being the mailman--it was the JavaRa site that got the WOT hammering. And as mentioned it wasn't just a few disgruntled or rogue reviews it was a substantial slam of a significant number of people.

By the way I all ways run the most current version of .Net Framework.

I spend all most all of my time now on Mac. But I have all ways when previously using exclusively Windows and even now still diligently do updates of not only from Windows but for all my security products and other relevant software.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Hotch
Well if that is the case..WOT is wacky and JavaRa is one of the safest product to use..it will even clean/remove the download manager.

see here at dslr..they even have a support forum

»[Updated] [Free]JavaRa 1.1.6 / 2.0b3 updated definitions