I would like to add this info since I see many AV coming up with that VerifierBug.class Trojan.
Do you use the java plugin? If yes, and your "use plugin for applet tag" property from IE is set to true (which is by default) - the cache will be kept in \.jpi_cache directory. Otherwise, it will be in Temporary internet files (still in user home). Depends on your os mostly.
Also a click on refresh should reload the applet if you hold CTRL
Or if you open the Java Console window, then press g x f
That clears the java cache too
Now most people have already gone to M$ and patched their java if they have been keeping up with all the updates. So it is doubtful their IE will be exploited.
but you can also always do this...
deleting everything in your Temp folders C:WINDOWS\TEMP
C:WINDOWS\TEMPORARY INTERNET FILES
If you have JAVA also delete anything in these folders
C:\WINDOWS\.jpi_cache\file\1.0
C:\WINDOWS\.jpi_cache\jar\1.0
It is relatively harmless. The pop-ups are being cached by the browser in the cache directory mentioned, which means they appear as "new" files to the virus scanner, which accordingly mounts a seek-and-destroy mission on them.With 1.4 the files are cached in user dir\.jpi_cache\jar\1.0\
For win2k its c:\Documents and Settings\username\.jpi_cache\jar\1.0
Also the files are stored as .zip's not a .jar's
here are some examples/18/2003 8:33 PM Infected 29/F C:\Documents and Settings\29/F\.jpi_cache\jar\1.0\archive.jar-6b722b07-76f55045.zip Exploit-ByteVerify
7/18/2003 8:33 PM Deleted 29/F C:\Documents and Settings\29/F\.jpi_cache\jar\1.0\archive.jar-6b722b07-76f55045.zip Exploit-ByteVerify
7/18/2003 8:33 PM Infected 29/F C:\DOCUME~1\29/F\LOCALS~1\Temp\jar_cache18390.tmp Exploit-ByteVerify
7/18/2003 8:33 PM Deleted 29/F C:\DOCUME~1\29/F\LOCALS~1\Temp\jar_cache18390.tmp Exploit-ByteVerify
»
forum.java.sun.com/threa ··· range=15The exploit Vamp has pointed out will do this..
There are no obvious signs of infection. AVERT has received field samples that use this exploit to create a registry script file, and merge it into the system registry. This script simply altered the default start page of Internet Explorer.
So there are certainly things you can do so your AV does not give you heart failure.
But I guess we will be seeing more post like yours in the furture not only from McAfee users but also NAV.