help: virus infections in Sun Java ???

[dodecahedron]

OK today my computer, for the second time in it's life, detected a virus. according to Norton, it's Trojan Horse Virus (last time it was Downloader.Trojan).
6 files: Dummy.class, RunString.class, Parser.class inside a zipfile, and 3 more files with same names inside another zipfile.
both zips were at:
D:\Documents and Settings\<user>\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\<infected zipfile>.
same thing in the previous (first) time - infected zipfile at the same location.

1. why didn't Norton AntiVirus catch it when the file was loaded into the computer? (the virii were detected during a manual scan of the entire computer, not by a running detection service).

2. what's up with this Java getting infected?
i installed Sun Java a while ago (can't remember why), obviously these two infections happened after. what's up with that? is Sun Java more susceptible? never had a virus before (when apprently was using MS Java).
in IE -> Tools -> Internet Options -> Advanced, under Java (Sun) i have Use Java 2 v1.4.2 for <applet> checkmarked. under Microsoft VM i have JIT compiler for virtual machine enabled checked. as far as i understand both Sun and MS are active?

should i dispose of Sun Java? how exacly do i do this?
should i diable the Use Java 2 v1.4.2 for <applet> in IE and then uninstall Java 2 Runtime Environment, SE v1.4.2 from the control panel)? anything else needs to be done to enable MS Java?
in the Tools -> ... under Microsoft VM there are two more checkboxes marked Java console enabled and Java logging enabled. currently unchecked. should i check them?

any assistance welcome

[VEFF]

1. Do you ever disable NAV?
e.g. during burning... Even once is enough for a virus to potnetially creep through, if the timing is right.
Are you running firewall / internet security software, assuming you're using broadband and not dial-up access?

I always run anti-virus software in conjunction with internet security
protection software.

2. Not sure.
My only occasional infections (certain sites that I avoid after finding out they propagate the infections) are also Java infections!

[dodecahedron]

1. Do you ever disable NAV?
e.g. during burning... Even once is enough for a virus to potnetially creep through, if the timing is right.
Are you running firewall / internet security software, assuming you're using broadband and not dial-up access?

emphatically NO!
NAV always running, NPF always running.

2. Not sure.
My only occasional infections (certain sites that I avoid after finding out they propagate the infections) are also Java infections!

curious. why won't NAV+NPF catch them?

[Justin42]

I am wondering if this is really a virus, even. NAV seems to be the product I hear about most often with regards to false-positives.

Can you uninstall NAV and either get a freeware virus scanner, or use one of the online ones (just disable NAV) for a "second opinion"?

I've been running Sun Javas for years and have never had a virus... (running the McAfee corporate line of virus scanners..) And it's not really Java "getting infected", those files are stored in Java's cache... you're probably going to a website that is infecting your machine with malicious Java code. It's like if a script file in your browser cache was really a virus, you'd see a virus in "Temporary Internet Files" or "Cache" but that doesn't mean the browser is infected...

What is the exact name of the virus that it's detecting now? (I searched Norton's site and couldn't find what you are describing)

[Robotnik]

AV software only catches virii which it knows about. A new virus could infect your computer in the time it takes for Symantec to learn about the virus, makes its signature available for download in an update to NAV and for you to actually download that update.

[dodecahedron]

And it's not really Java "getting infected", those files are stored in Java's cache... you're probably going to a website that is infecting your machine with malicious Java code. It's like if a script file in your browser cache was really a virus, you'd see a virus in "Temporary Internet Files" or "Cache" but that doesn't mean the browser is infected...

yes. i was thinking maybe it's something like this.
i didn't think the Java 2 Runtime Environment, SE v1.4.2 itself is infected, but somehow malicious Java code is getting into my computer. the thing is that this has happened only twice, after i installed the Sun Java, and never happened before (when presumably i was using MS Java). of course this doesn't mean it's the Sun Java at fault, but i was thinking maybe it's more vulnerable???

hence also my question as to how to disable/uninstall Sun Java and re-enable MS Java.
as an aside: is there any benefit to using Sun Java over MS Java? any better?


as for the virus infections:

incident 1:
file: Colors.class, inside:
D:\Documents and Settings\xxx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\tb.jar-796b13a3-19e66705.zip
virus: Downloader.Trojan
http://securityresponse.symantec.com/av ... rojan.html

incident 2:
files: Dummy.class, Parser.class, RunString.class inside:
D:\Documents and Settings\xxx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\check.jar-3be13a1d-6ff4bf99.zip
files: Dummy.class, Parser.class, RunString.class inside:
D:\Documents and Settings\xxx\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\check.jar-3457aba0-38ea33f4.zip
virus: Downloader.Trojan
http://securityresponse.symantec.com/av ... 25464.html (not very informative, i know)

any suggestions?

[Justin42]

Well, the thing is, Java is a fairly secure environment-- unless you're running apps with major spyware, or aren't running a fully patched system, Java applets really can't just create these files or spread things on your machine. So there's something else...

Trojan horses are usually spread when you run an app... something makes me think somehow something else got on your system, and installed this which just happens to run Java. I'm wondering if some website you visit uses a Java based downloader program (which happens to be this trojan horse or something).

The thing about MS Java is that it is based on a very old version of "real" Java (1.0.2?) so some applets won't run. Sun Java is the "standard" (of course, just like many sites code to IE instead of HTML standards, some sites code to MS Java and not "real" Java) so theoretically, Sun Java would be better.

You probably didn't see this with MS Java because I don't think that one has a cache of any kind-- you can turn off the Sun Java cache (in the more recent versions at least) in the "Java Plug In" settings in Control Panel (on my version, you go to the "cache" tab and uncheck "enable caching".

[update: at least on my system, running Sun Java 1.4.2_01, you can click a "View" button on the "cache" tab, which shows which applets it's caching and what site you downloaded them from.. might be helpful..]

I would try to figure out what site you visit is dropping that applet onto your system...

Personally, I've run Sun's Java since 97 and have never had any issues with it on various systems.

[dodecahedron]

thanks a lot for the expalantions. (not that i understood everything )

as for your explanation for the infection, i'm still not clear as to why NAV didn't catch on to it. just like it monitors emails, file downloads, scripts etc. i thought it monitors Java code that is loaded ??? and should have caught those files.

you said "fully patched system". i'm on XP without SP1. could that have anything to do with it?

as for your explanation of Sun vs. MS Java, i'll stay with Sun.

thanks for the tip about the Cache viewer (i was aware of the Plug-in Control Panel, but not of the cache viewer). very useful.
now i just have to wait to be infected again to see the infected file in the viewer and hopefully discover what site it's coming from.

[Justin42]

First thing, you should definitely update with as many patches as you can... You should go to Windows Update and grab all the critical updates-- Microsoft have released a ton as of late, many of which are vulnerabilities which allow stuff to be placed on your system without your knowledge.

I'd really suggest XP SP1, if you can. At the very least, go to http://www.microsoft.com/technet/ and grab all the updates for XP.. (there are going to be a ton...)

Are you running a good firewall? (Zonealarm, hardware of some sort?)

As for the Java babble from above... basically, it's not Java being vulnerable to viruses-- Java can't write files to your hard drive (unless you are running an actual application written in Java, LimeWire is an example). An applet running in a browser window can't write a file to your local hard drive. So the Java that you run doesn't change your exposure to viruses/trojans-- something else is causing this applet to come onto your system. It's most likely either someone using a known Windows exploit to put the code on your system without your knowledge, or a web site that calls the applet. You might want to search the virus names on www.deja.com (Google Groups) to see if anyone mentions anything....

Not sure why Norton didn't catch them on the time. As suggested, maybe your virus definitions weren't up to date at the time the files were downloaded, or maybe you have Norton set up to only scan certain types of files. (I am not familiar with Norton, but most virus scanners let you set levels of on-access scanning-- executables only, all files, etc-- look for that setting and set it to "all files". you lose a tiny bit of performance (probably very, very tiny considering the speed of modern CPUs) but it probably would explain why it wasn't caught).

My bias against Norton is showing, but you really might want to try a different product... like I said, I use ZoneAlarm + Mcafee VirusScan and have no problems with them.. I have nothing but trouble with Norton software... I know many others would say McAfee sucks and swear by Norton... depends on your system.

[dodecahedron]

yeah <sigh> i guess i should make the time to do the SP1 upgrade.

i am extremely pedantic about having the latest updates for Norton AntiVirus and Personal Firewall, so i don't think that's the issue. and also, to the best of my knowledge, all the settings are set at the highest security possible.

perhaps Norton isn't very good, like you hint.

i can't be bothered now to experiment with new AV and firewall software, but perhaps some other time.
till then i guess i'll just have to keep my fingers crossed!

i am extremely grateful for your assistance and explanations, Justin. thanks a lot