Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Java Deployment, or sneaky virus?

Updated: 02 Mar 2009 | 5 comments
CoveWolf's picture
CoveWolf
0 0 Votes
Login to vote
Today I pushed out endpoint client to three machines on my network.  As soon as the machines were installed one of the computers came up with several "viruses".   All of them were found in c:/Documents and Settings/greg/Application Data/Sun/Java/Deployment/.  All were cleaned by deletion except two:  Multiple Risks   c:/Documents and Settings/greg/Application Data/Sun/Java/Deployment/cache/6.0/28/2d5707dc-746d7956  and Trojan.ByteVerify  c:/Documents and c:/Documents and Settings/greg/Application Data/Sun/Java/Deployment/cache/6.0/43/5e5fc46b-16f83ebd.  The computer does not have any of the problems that Symantec says it should if it has a trojan.byteverify virus.  Are these legitimate Java files that are giving a false positive or are these viruses?  Thanks  in advance for any help.



Message Edited by CoveWolf on 06-03-2008 01:31 PM

Message Edited by CoveWolf on 06-03-2008 01:31 PM

Discussion Filed Under:
,

Comments

CoveWolf's picture
04
Jun
2008
0 Votes 0
Login to vote
CoveWolf

Am I the only one with this problem or is this the wrong place to ask about it?
Sandeep Cheema's picture
04
Jun
2008
0 Votes 0
Login to vote
Sandeep Cheema

I dont think that its a false positive knowing the fact that the byteveririfier exists in the classfiles.
 
Trojan.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code. The file will likely exist as VerifierBug.Class. For example, an attacker could create a .html file that uses the Trojan, and then create a script file that will perform other actions, such as setting the Internet Explorer Start Page.
 
Thus the symptoms of the machine depend on how the java file has been written to be, which is now a class file.
 
 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting "Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

CoveWolf's picture
04
Jun
2008
0 Votes 0
Login to vote
CoveWolf

Do you recommend we delete the file?   When we scanned it on the local computer it did not detect it as a virus. 
Senrats's picture
19
Apr
2010
0 Votes 0
Login to vote
Senrats

Yes, we get similar SEP alerts for Java...

I always delete and run a full scan. It might be a false positive, but I like to be on the safe side.

Here's an example:
Risk name: Trojan Horse
File path: c:\Documents and Settings\%USER%\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\qq.jar-6ed9a861-53005355.zip>>A.class

The risk name is generic.

"Trust, but verify."

Mbrash's picture
01
Jun
2010
0 Votes 0
Login to vote
Mbrash

I receive similar alerts as well...

I receive similar alerts as well.  I've been deleting the files and re-scaning the computer.  I would be interested if this is the proper method to remove these potential threats.

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,016