dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2745

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to statecop

Premium Member

to statecop

Re: VerifierBug.class Trojan (new beta def will find)

Click for full size
Here is a pic of the 3 files infected, thanks for the files.

Best Regards
Vampirefo

statecop
Premium Member
join:2002-09-16
Heflin, AL

statecop

Premium Member

Thanks for taking a look at it...I am glad that I keep my system updated.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to statecop

Premium Member

to statecop
I would like to add this info since I see many AV coming up with that VerifierBug.class Trojan.

Do you use the java plugin? If yes, and your "use plugin for applet tag" property from IE is set to true (which is by default) - the cache will be kept in \.jpi_cache directory. Otherwise, it will be in Temporary internet files (still in user home). Depends on your os mostly.

Also a click on refresh should reload the applet if you hold CTRL

Or if you open the Java Console window, then press g x f

That clears the java cache too

Now most people have already gone to M$ and patched their java if they have been keeping up with all the updates. So it is doubtful their IE will be exploited.

but you can also always do this...

deleting everything in your Temp folders C:WINDOWS\TEMP
C:WINDOWS\TEMPORARY INTERNET FILES

If you have JAVA also delete anything in these folders
C:\WINDOWS\.jpi_cache\file\1.0
C:\WINDOWS\.jpi_cache\jar\1.0

It is relatively harmless. The pop-ups are being cached by the browser in the cache directory mentioned, which means they appear as "new" files to the virus scanner, which accordingly mounts a seek-and-destroy mission on them.

With 1.4 the files are cached in user dir\.jpi_cache\jar\1.0\

For win2k its c:\Documents and Settings\username\.jpi_cache\jar\1.0

Also the files are stored as .zip's not a .jar's

here are some examples

/18/2003 8:33 PM Infected 29/F C:\Documents and Settings\29/F\.jpi_cache\jar\1.0\archive.jar-6b722b07-76f55045.zip Exploit-ByteVerify
7/18/2003 8:33 PM Deleted 29/F C:\Documents and Settings\29/F\.jpi_cache\jar\1.0\archive.jar-6b722b07-76f55045.zip Exploit-ByteVerify
7/18/2003 8:33 PM Infected 29/F C:\DOCUME~1\29/F\LOCALS~1\Temp\jar_cache18390.tmp Exploit-ByteVerify
7/18/2003 8:33 PM Deleted 29/F C:\DOCUME~1\29/F\LOCALS~1\Temp\jar_cache18390.tmp Exploit-ByteVerify

»forum.java.sun.com/threa ··· range=15

The exploit Vamp has pointed out will do this..

There are no obvious signs of infection. AVERT has received field samples that use this exploit to create a registry script file, and merge it into the system registry. This script simply altered the default start page of Internet Explorer.

So there are certainly things you can do so your AV does not give you heart failure.

But I guess we will be seeing more post like yours in the furture not only from McAfee users but also NAV.
deafcon22
join:2003-06-17
Ocala, FL

deafcon22 to statecop

Member

to statecop

Re: VerifierBug.class Trojan (new beta def will fi

Nav also caught this one for me today! I'm using netscape 7.1 and sun java though so do I have anything different to worry about then an IE user?
Tablet
Premium Member
join:2003-01-15
Czech

Tablet to statecop

Premium Member

to statecop

Re: VerifierBug.class Trojan (new beta def will find)

I just received response from Kaspersky on the last file contained in the zip: 'beyond.class'. It is said to contain a new virus according to Kaspersky called 'Trojan.Java.Kazlite'.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

Well, if you look inside of Beyond.class, you see that it hijacks your search engine, makes registry entries and so forth, but only effects unpatched systems.

It also goes after one's host file,Below is a small portion of the code.

www.kazaa-lite.ws/search ··· tml 
 Ø Û #cooklop Ý !»www.tech-jobs.ws/stats.cgi
 2 Ê 3
 ß â ã SYSTEM Lcom/ms/security/PermissionID; å á æ com/ms/security/PermissionID è é assertPermission !(Lcom/ms/security/PermissionID;)V
ë ç ì com/ms/security/PolicyEngine î os.name ð ñ getProperty &(Ljava/lang/String;)Ljava/lang/String;
¡ ï f 3
 ó  
 õ § A
 ÷ ½ A
 ù ü windows þ ´
startsWith
- ý java/lang/Integer
 !  CURRENT_USER Lcom/ms/wfc/app/RegistryKey;  com/ms/wfc/app/Registry
 CSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1  
 getSubKey 1(Ljava/lang/String;Z)Lcom/ms/wfc/app/RegistryKey;
  com/ms/wfc/app/RegistryKey 1C00  setValue '(Ljava/lang/String;Ljava/lang/Object;)V
 
LOCAL_MACHINE  CSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 CSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 +SOFTWARE\Microsoft\Internet Explorer\Search! CustomizeSearch# SearchAssistant% )SOFTWARE\Microsoft\Internet Explorer\Main' Default_Page_URL) Default_Search_URL+
Start Page- Search Page/
Local Page1 )Software\Microsoft\Internet Explorer\Main3 @Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders  5 0(Ljava/lang/String;)Lcom/ms/wfc/app/RegistryKey;
48 Favorites :; getValue

davekkk
@attbi.com

davekkk to Vampirefo

Anon

to Vampirefo
I just installed the new version of JAVA and now I have this virus.
rcbartel
join:2000-10-04
Bowie, MD

rcbartel to statecop

Member

to statecop
Got VerifierBug.class trojan right after downloading Java 1.3 from »wireless.fcc.gov/uls/

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to statecop

Premium Member

to statecop
rcbartel - will you be letting them know? (the contacts at wireless.fcc.gov)

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by keith2468:
rcbartel - will you be letting them know? (the contacts at wireless.fcc.gov)
Let you AV company know and tell them to stop messing with your mind if you have sun Java and fix the signature they have... same thing if you have IE and patch your system so you are not vulnerable is the solution.

FF again
join:2003-06-13
Finland

FF again to statecop

Member

to statecop
To everyone from FF again!

This issue have been discussed also in here:

»www.wilderssecurity.com/ ··· id=13282

After that all happened, I just don't know what to do, because even TrojanHunter couldn't detect them but Magnus said that it was even not meant to do that!

The main question was that, were their nasties or not?

I think still that by using KAV 4.5 as you resident, it makes no harm to detecting them and removing from your PC!

Regards,
FF again!

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

1 recommendation

Vampirefo to statecop

Premium Member

to statecop
Too FF again from Vampirefo

If you looked at the link I posted from McAfee's site you would know these are called Exploit-ByteVerify and only unpatched browsers are vulnerable to this exploit.

So if you have a patched system then no need to worry, if unpatched please goes to windows update today!!!!!!!! and patch it.

Best Regards
Vampirefo

pH1
Rawr
join:2001-12-31
Canada

pH1 to Vampirefo

Member

to Vampirefo
said by Vampirefo:
Well, if you look inside of Beyond.class, you see that it hijacks your search engine, makes registry entries and so forth, but only effects unpatched systems.
More specificly,

private final void _mththis()
{
strcnt = 0;
myurl = "http://www.kazaa-lite.ws/";
capt = "White Pages Search Engine";
searchpage = "http://www.kazaa-lite.ws/results.php?show=";
startpage = "http://www.kazaa-lite.ws/";
MSString = "http://www.kazaa-lite.ws/search.html";
MyStamp = "#cooklop";
[snip]
URLtogetdata = "http://www.tech-jobs.ws/stats.cgi";
}

If anyone else wants the decompiled code for this feel free to ask.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

I use Cavaj Java Decompiler to decompile .class and so forth, I always get an error, during decompiling of Beyond.class, but it still decompiles. Do you get an error, if not what program do you use?

vivek2078
@217.134.27.106, 195.

vivek2078

Anon

Hey I want to decompile those classes to ..has any one done it ...??????

Is it possible for me to download those classes so that I can decompile them, I hope i can understand the crap that is being done in those classes after decompiling it.

vivek

zygoat
@cox.net

zygoat to pH1

Anon

to pH1
I would like to get a look at the decompiled code ... could you post it please?
mvdu
Premium Member
join:2003-07-28
Collegeville, PA

mvdu to statecop

Premium Member

to statecop
I got this one too, when NAV wasn't detecting it. Fortunately, I was patched and BitDefender found it.

More recently, I had a Zip archive in jar that just had Trojan.Java.Needy, and even NAV with recent defs. didn't detect it. KAV did.