virus alert on my pc
From: MAP (anonymous_at_discussions.microsoft.com)
Date: 02/28/04
- Next message: SKAT: "Re: I open my browser, my CD drives open"
- Previous message: Lola and Gary: "Bridge.dll"
- In reply to: philqil: "virus alert on my pc"
- Next in thread: Bruce Chambers: "Re: virus alert on my pc"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 28 Feb 2004 06:20:16 -0800
>-----Original Message-----
>I ran Ad-Aware, during whcih my AVG virus guard warned
me it had detected a virus called Jaba/ByteVerify and
that I should run AVG to clear it. But when I do, it
fails to find it.
>I can't find any reference to ByteVerify in virus
encyclopaedias, and assume it's low risk. But can anyone
give me more info on whether I need to kill it, and if
so, how?
>.
>
© 1995-2004 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
Trojan.ByteVerify
Discovered on: September 05, 2003
Last Updated on: October 21, 2003 06:59:13 PM
Trojan.ByteVerify is a Trojan Horse that exploits the
vulnerability described in Microsoft Security Bulletin
MS03-011 and could provide a hacker the ability to run
arbitrary code on an infected system.
Also Known As: Exploit-ByteVerify [McAfee],
Exploit.Java.Bytverify [KAV], JAVA_BYTVERIFY.A [Trend]
Type: Trojan Horse
Infection Length: various
Systems Affected: Windows 2000, Windows 95, Windows 98,
Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0111
Virus Definitions (Intelligent Updater) *
September 08, 2003
Virus Definitions (LiveUpdateT) **
September 10, 2003
*
Intelligent Updater definitions are released daily, but
require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every
Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild:
Low
Damage:
Low
Distribution:
Low
Damage
Payload:
Compromises security settings: Allows unauthorized
execution of arbitrary commands.
When Trojan.ByteVerify is executed, it performs the
following actions:
Escapes the sandbox restrictions, using Blackbox.class,
by doing the following:
Declares a new PermissionDataSet with setFullyTrusted set
to TRUE.
Creates a trusted PermissionSet.
Sets permission to PermissionSet by creating its own
URLClassLoader class, derived from the VerifierBug.class.
Loads Beyond.class using the URLClassLoader from
Blackbox.class.
Gains unrestricted rights on the local machine by
invoking the .assertPermission method of the PolicyEngine
class in Beyond.class.
Opens the Web page, http://www.clavus.net/lst.backs, and
parses the text that this site displays.
For example, SP|www.ewebsearch.net/sp.htm means that the
Internet Explorer Start Page will be set up to
www.ewebsearch.net/sp.htm
Several pornographic links are added into the favorites.
May attempt to retrieve dialer programs and install them
on the infected computer. The dialer programs may attempt
to connect the infected computer to pornographic Web
sites.
----------------------------------------------------------
----------------------
Notes:
Trojan.ByteVerify will typically arrive as a component of
other malicious content. An attacker could use the
compiled Java class file to execute other code. The file
will likely exist as VerifierBug.Class. For example, an
attacker could create a .html file that uses the Trojan,
and then create a script file that will perform other
actions, such as setting the Internet Explorer Start
Page.
Notification of infection does not always indicate that a
machine has been infected; it only indicates that a
program included the viral class file. This does not mean
that it used the malicious functionality.
----------------------------------------------------------
----------------------
Symantec Security Response encourages all users and
administrators to adhere to the following basic
security "best practices":
Turn off and remove unneeded services. By default, many
operating systems install auxiliary services that are not
critical, such as an FTP server, telnet, and a Web
server. These services are avenues of attack. If they are
removed, blended threats have less avenues of attack and
you have fewer services to maintain through patch
updates.
If a blended threat exploits one or more network
services, disable, or block access to, those services
until a patch is applied.
Always keep your patch levels up-to-date, especially on
computers that host public services and are accessible
through the firewall, such as HTTP, FTP, mail, and DNS
services.
Enforce a password policy. Complex passwords make it
difficult to crack password files on compromised
computers. This helps to prevent or limit damage when a
computer is compromised.
Configure your email server to block or remove email that
contains file attachments that are commonly used to
spread viruses, such as .vbs, .bat, .exe, .pif and .scr
files.
Isolate infected computers quickly to prevent further
compromising your organization. Perform a forensic
analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are
expecting them. Also, do not execute software that is
downloaded from the Internet unless it has been scanned
for viruses. Simply visiting a compromised Web site can
cause infection if certain browser vulnerabilities are
not patched.
The following instructions pertain to all current and
recent Symantec antivirus products, including the
Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected
as Trojan.ByteVerify.
For specific details on each of these steps, read the
following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend
that you temporarily turn off System Restore. Windows
Me/XP uses this feature, which is enabled by default, to
restore the files on your computer in case they become
damaged. If a virus, worm, or Trojan infects a computer,
System Restore may back up the virus, worm, or Trojan on
the computer.
Windows prevents outside programs, including antivirus
programs, from modifying System Restore. Therefore,
antivirus programs or tools cannot remove threats in the
System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your
computer, even after you have cleaned the infected files
from all the other locations.
Also, a virus scan may detect a threat in the System
Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read
your Windows documentation, or one of the following
articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to
disabling Windows Me System Restore, see the Microsoft
Knowledge Base article, "Antivirus Tools Cannot Clean
Infected Files in the _Restore Folder," Article ID:
Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus
definitions for quality assurance before they are posted
to our servers. There are two ways to obtain the most
recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain
virus definitions: These virus definitions are posted to
the LiveUpdate servers once each week (usually on
Wednesdays), unless there is a major virus outbreak. To
determine whether definitions for this threat are
available by LiveUpdate, refer to the Virus Definitions
(LiveUpdate).
Downloading the definitions using the Intelligent
Updater: The Intelligent Updater virus definitions are
posted on U.S. business days (Monday through Friday). You
should download the definitions from the Symantec
Security Response Web site and manually install them. To
determine whether definitions for this threat are
available by the Intelligent Updater, refer to the Virus
Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available:
Read "How to update virus definition files using the
Intelligent Updater" for detailed instructions.
3. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for
at least 30 seconds, and then restart the computer in
Safe mode or VGA mode.
For Windows 95, 98, Me, 2000, or XP users, restart the
computer in Safe mode. For instructions, read the
document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that
it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the
document, "How to configure Norton AntiVirus to scan all
files."
For Symantec AntiVirus Enterprise products: Read the
document, "How to verify that a Symantec Corporate
antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with
Trojan.ByteVerify, click Delete.
- Next message: SKAT: "Re: I open my browser, my CD drives open"
- Previous message: Lola and Gary: "Bridge.dll"
- In reply to: philqil: "virus alert on my pc"
- Next in thread: Bruce Chambers: "Re: virus alert on my pc"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
