NOD32---Found infected .jar file, but only gave me "LEAVE" button

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

NOD32 (demo) found a .jar file in the java cache, but all the buttons but
"Leave" were grayed out.  No delete, no clean, no nuthin.  There was a "copy
to quarantine" checkbox there, but it of course left the file in place.  I
had to go find it and delete it myself.

1. Why?

and

2. Further, NOD32 cannot clean within archives, is that correct?

Thanks so much!


--
Forgetthesong,I'dratherhavethefrontallobotomy...



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas G. Marshall wrote:
Quoted text here. Click to load it

I don't know why it does this. One could say that an infected archive may
have something wanted in it, but then it can be restore from quarantine.

Quoted text here. Click to load it

I have seen it delete files from self-extracting archives but not zip files
(jar is a zip file). It will prevent infected archives being written to
disk or downloaded, though.

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk /

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEwh+m7uRVdtPsXDkRAgKEAJ9RL2VTiNzAbiIkxfRfJFZ7JFR7xQCeKdbb
wTSz4hgQzTLZE07qJIh74Zs=
=d1Xf
-----END PGP SIGNATURE-----

Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button


|
| NOD32 (demo) found a .jar file in the java cache, but all the buttons but
| "Leave" were grayed out.  No delete, no clean, no nuthin.  There was a "copy
| to quarantine" checkbox there, but it of course left the file in place.  I
| had to go find it and delete it myself.
|
| 1. Why?
|
| and
|
| 2. Further, NOD32 cannot clean within archives, is that correct?
|
| Thanks so much!
|

You had a Trojan or Exploit .n a .CLASS file indside a Java Jar.  A ZIP type
file.
AV Software can't pull and infected file from an archive file and then repack
the archive.
It can only scan the conents of an archive file and deal with the whole archive
file.  This
includes such file types as;  CHM, CAB, ZIP, LZH etc.

Here are some suggestions for this type of situation...

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0.  There are vulnerabilities in them and they are actively being
exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0
Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07

http://www.java.com/en/download/manual.jsp

1)    Dump the contents of your IE cache -
        Start --> settings --> control panel --> Internet options --> delete
files

2)    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
       Tools --> Options --> Privacy --> Cache --> Clear

3)    Dump the contents of your Sun Java cache -
        Start --> settings --> control panel --> Java applet --> cache --> clear
          or
        Start --> settings --> control panel --> Java applet --> general -->
settings -->
        delete files

4)    Re-scan your system using your anti virus software.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

David H. Lipman said something like:
Quoted text here. Click to load it

Absolutely not true.  NAV has no trouble whatsoever doing this.


Quoted text here. Click to load it

Thanks.  Ironically, I'm a long time java engineer from the pre-1.0 beta
beginning, so these were my next steps anyway, but I appreciate the
thoroughness of your answer.  I use older JRE's for other reasons, so they
will stay put, or perhaps out of the way.



--
If I can ever figure out how, I hope that someday I'll
succeed in my lifetime goal of creating a signature
that ends with the word "blarphoogy".



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button



|
| Thanks.  Ironically, I'm a long time java engineer from the pre-1.0 beta
| beginning, so these were my next steps anyway, but I appreciate the
| thoroughness of your answer.  I use older JRE's for other reasons, so they
| will stay put, or perhaps out of the way.
|

Sure you can keep them but on a PC NOT connected to the Internet.

There are Trojans and adware currently exploiting the vulnerabilities in the
older versions
of Sun Java.  These Trojans will traverse the  C:\Program Files\Java  tree
looking for a
vulnerable version to exploit.  The writers are well aq2uanted with the fact
that Sun Java
auto-downloads new versions and doesn't remove old versions.  This is part of the
exploitation scheme.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David H. Lipman wrote:
Quoted text here. Click to load it
<snip>

Surely if they're able to traverse a directory then they are executing
locally and you're infected no matter what version you're using? (Not that
I'm saying your approach on removing older versions is misguided)

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk /

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEwnrH7uRVdtPsXDkRAjNHAJ9O5GnB7uWu1MD3FUCKQZIyOS91gACeJFsI
Zaitido5ycQTefB5U66OiyU=
=h07v
-----END PGP SIGNATURE-----

Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

Adam Piggott said something like:
Quoted text here. Click to load it

Ah...my post's intent overlaps yours.  I should have read through the
replies before responding.


--
"It's easier to be terrified by an enemy you admire."
-Thufir Hawat, Mentat and Master of Assassins to House Atreides



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button



Quoted text here. Click to load it

Think in terms of an escalation path.



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button



| <snip>
|
| Surely if they're able to traverse a directory then they are executing
| locally and you're infected no matter what version you're using? (Not that
| I'm saying your approach on removing older versions is misguided)
|
| Adam Piggott, Proprietor, Proactive Services (Computing).
| http://www.proactiveservices.co.uk /
|

Adam:

Take two scenarios.

The first being a PC using the latest Sun Java.

The second being a PC with multiple versions with at least one vulnerable
version of Sun
Java.

In the first scenario you get a .CLASS file inside or outside a Java Jar and the
code within
is executed.  Since the PC is not vulnerable all you have is an exploitation
attempt.

In the second scenario you get a .CLASS file inside or outside a Java Jar and
the code
within is executed.  It finds a vulnerable version of Hun Java and exploits the
vulnerability thus leading to the automatic download of a Trojan or adware.
Most notable
examples are the Vundo Trojan and the Virtumonde adware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

"David H. Lipman" wrote:

[multiple java versions]

Quoted text here. Click to load it

I don't see how there's a problem if the default JVM, which the
browser will have loaded to run the applet, is the non-exploitable
one. A malicious applet would have to load a new virtual machine by
searching the file system. I would be surprised if both operations
(traversing the local file system and executing a new JVM) are not
prohibited by the java security model or sandbox rules.



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

Ant wrote:
Quoted text here. Click to load it

i seem to recall someone telling me it was possible to call arbitrary
versions of java through *javascript* (which is obviously not bound by
java's security rules)...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

"kurt wismer" wrote:

Quoted text here. Click to load it

Certainly javascript can instantiate and use java objects, but I can't
see from looking at the documentation how it can cause a particular VM
to be loaded.

Quoted text here. Click to load it

Presumably there are limitations on what scripts are permitted to do
in the Internet zone, but I'm not clear about what they might be.



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

David H. Lipman said something like:
Quoted text here. Click to load it

Hence the "out of the way" remark and I have a hard time seeing how
something that was going to be executed in JRE 1.x (high value x dictated
from the browser) could gain anything by attempting to access something
directly in *my filesystem* in JRE 1.y (y < x).

The .x would theoretically stop that, no?----once I'm compromised to that
point, why would it need the .y at all?  I'll have to think a bit more on
this---viral security manager work-arounds are not my "specialty" within
java.


--
"It's easier to be terrified by an enemy you admire."
-Thufir Hawat, Mentat and Master of Assassins to House Atreides



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button



|
| Hence the "out of the way" remark and I have a hard time seeing how
| something that was going to be executed in JRE 1.x (high value x dictated
| from the browser) could gain anything by attempting to access something
| directly in *my filesystem* in JRE 1.y (y < x).
|
| The .x would theoretically stop that, no?----once I'm compromised to that
| point, why would it need the .y at all?  I'll have to think a bit more on
| this---viral security manager work-arounds are not my "specialty" within
| java.
|

I am not the researcher.  Two MS MVPs did much work on this for almost a year.
Sandi H. and
Steve W. and they are the ones best to explain it all.  All I can say is see my
reply to
Adam P. and read the following which was disseminated Feb. 7, 06.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
and
http://www.frsirt.com/english/advisories/2006/0467


Note:  It is now the end of July and Dell is /*STILL*/ shipping New computers
with the
vulnerable version of Sun Java.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David H. Lipman wrote:
Quoted text here. Click to load it

- From my experience they also ship with malware on them so I'd avoid them
like the plague anyway!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEw1Nu7uRVdtPsXDkRAlYJAKCYJRCLD3ZSVsLk4TqspKO7PHzVXgCfegQM
OkC/LgTGW5lgs8KTdmULCRY=
=6Pr7
-----END PGP SIGNATURE-----

Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button


|
| - From my experience they also ship with malware on them so I'd avoid them
| like the plague anyway!

Dell makes quality platforms.  However it is my opinion to NEVER take the
default factory
configuration.  Always wipe the computer and install the OS from scratch.  This
includes
other vendors.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

David H. Lipman wrote:

Quoted text here. Click to load it

Now you tell me, Dave. I will never, ever buy another computer with
and OEM installation of the OS.

This doesn't address the Java problem, does it?

Introducing the Dell De-Crapifier…
   (http://www.yorkspace.com/2006/04/38 )

Dell De-Crapifier by Jason York
   (http://www.yorkspace.com/wp-content/DellDe-Crapifier-1.0.au3 )

Ron :)

Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button



|
| Now you tell me, Dave. I will never, ever buy another computer with
| and OEM installation of the OS.
|
| This doesn't address the Java problem, does it?
|
| Introducing the Dell De-Crapifier…
|    (http://www.yorkspace.com/2006/04/38 )
|
| Dell De-Crapifier by Jason York
|    (http://www.yorkspace.com/wp-content/DellDe-Crapifier-1.0.au3 )
|
| Ron :)

I recently was given a IBM ThinkPad T60 with a Biometric finger device.
What a pain that notebook was !  First there was a modification to LSA that made
adding the
notebook to the Domain more than difficult.

Second was the Biometric finger device interfered with Smart Card Domain
Authentication.  It
defaulted to wanting Finger indentification and when a Smart Card was inserted
it would not
ask for the PIN.

If it wasn't a one-shot deal, I would have wiped it and installed the OS and
apps from
scratch and then created a Ghost image.  Hopefully I won't get another T60 but
if I do....
:-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: NOD32---Found infected .jar file, but only gave me "LEAVE" button

David H. Lipman said something like:
Quoted text here. Click to load it


It doesn't take someone as clinically paranoid as I to be suspect of
installations done by an outside party.  In any case, I like reclaiming the
partition that Dell likes to use for their "diagnostics".



--
Very old classic: Three men check into a hotel: the
room is $25 for the night.  They each hand the bellhop
$10 and ask him to bring back the change.  When the
bellhop returns with the $5 change, the men figure it's
easiest math to give $1 back to each of them and leave
$2 to the bellhop as a tip.  Now each man paid $9 for
a total of $27.  The bellhop got $2, that makes $29.
What happened to the last $1?
Answer (rot13): Unir gb or pnershy ubj lbh nqq guvf hc.
Gur guerr zra cnvq $27 gbgny, BHG BS JUVPU $2 jrag gb
gur oryyubc.



Site Timeline