bd5150
join:2003-01-10
Medford, MA | Persistent Trojan Good Morning Everyone,
I have Norton Corporate 7.6 running on my office network. I am continually getting an alert that I am infected with Trojan.ByteVerify. The file that is infected has been deleted, yet I still get the same message that it is contained in the same file. Trojan Hunter didn't detect anything. Anyone have any experience with this one?
Jim |
|
|
|
cahiattPremium
join:2001-03-21
Smyrna, GA | I just started getting the same one. It seems to be coming from some message board that my brother-in-law is visiting. I deleted it and it came back but it's return coincides with his browsing habits times. I haven't been able to determine exactly where it came from yet. |
|
| reply to bd5150
It could be in your System Restore:
Removal Instructions:
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as Trojan.ByteVerify.
---------------------------------------------------------
Symantec WriteUP:
Trojan.ByteVerify:
»securityresponse.symantec.com/av···ify.html
Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability described in Microsoft Security Bulletin MS03-011 and could provide a hacker the ability to run arbitrary code on an infected system.
Also Known As: Exploit-ByteVerify [McAfee], Exploit.Java.Bytverify [KAV], JAVA_BYTVERIFY.A [Trend]
Type: Trojan Horse
Infection Length: various
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
| reply to bd5150
a) Did you try cleaning your java Cashe?
1. From the Start button, click Settings > Control Panel
2. In the Control Panel, open the Java Plug-in Control Panel
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your Java Plug-in cache directory
b) Did you turn off system restore before you cleaned the virus?
c) Did you run "full system scan" "while in safe mode?
d) Are you surre you have norton checking inside compressed files?
1. Open Norton AntiVirus or Symantec AntiVirus.
2. Click Configure > File System Realtime Protection.
3. Under File Types, verify that "All Files" is checked.
4. Under Options, examine "Exclude selected files and folders."
5. If "Exclude selected files and folders" is checked, continue to the next step. Otherwise, the program is configured to scan all files.
6. Click Exclusions.
7. Examine the files and folders excluded to ensure that they are appropriate for your environment.
--
If it ain't broke, don't break it!® |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to bd5150
This may interest you.
"This is a growing family of trojans that exploits the ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to execute unauthorized code on an affected machine.
The variants of this trojan that we have seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals. Some variants may do little more than change the user's default Internet Explorer home page and/or search page via modifications to the registry."
It may pay you to carry out some cleaning with SpyBot or Ad-aware, just in case anything else was dropped by the trojan.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
bd5150
join:2003-01-10
Medford, MA | reply to bd5150
Thanks everyone. Sorry I didn't respond more quickly. I'm installing a new Exchange 2K server at the same time... I will try your suggestions later on today. This thing is just annoying as hell. I'm watching all outgoing connections and haven't seen anything wierd or out of the ordinary. I guess it hasn't executed...
Jim |
|
