Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #1 ·
1. What is jpi_cache ?
Today, 04 Feb 2005, my NAV 2004 detected 3 files, infected by Trojan.byteVerify.

The compressed file VB.class within C:\Documents and Settings\user_name\.jpi_cache\jar\1.0\archive.jar-2178ee9f-58587eb5.zip is infected with the Trojan.ByteVerify virus.

Windows 2000 Pro SP4
I obtained the ms03-011 , 816093 update during 2004.
ZA Pro 5.5

Recently, I downloaded some music from emusic.com . I suspect that the infection came from one of those downloads.

I have read: http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

2. Did the Microsoft update protect me from the problems noted at symantec's site?

I refer to:

technical details

When Trojan.ByteVerify is executed, it performs the following actions:

Escapes the sandbox restrictions, using Blackbox.class, by doing the following:

Declares a new PermissionDataSet with setFullyTrusted set to TRUE.
Creates a trusted PermissionSet.
Sets permission to PermissionSet by creating its own URLClassLoader class, derived from the VerifierBug.class.

Loads Beyond.class using the URLClassLoader from Blackbox.class.

Gains unrestricted rights on the local machine by invoking the .assertPermission method of the PolicyEngine class in Beyond.class.

Opens the Web page, http://www.clavus.net/lst.backs, and parses the text that this site displays.

For example, SP|www.ewebsearch.net/sp.htm means that the Internet Explorer Start Page will be set up to www.ewebsearch.net/sp.htm

Several pornographic links are added into the favorites.

May attempt to retrieve dialer programs and install them on the infected computer. The dialer programs may attempt to connect the infected computer to pornographic Web sites.

B123
 

·
Registered
Joined
·
49,014 Posts
# Click Start | Settings | Control Panel
# Click the Java Plugin Icon
# Click the Cache tab
# Click the Clear button and click OK to confirm
# Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top