Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Trojan.ByteVerify VIRUS!

Author
Message
Phoenix4
21
Years of Service
User Offline
Joined: 5th Oct 2003
Location:
Posted: 4th Jan 2004 21:43
I have found out what the problem is. I have a trojan called

Trojan.ByteVerify

This is what I found out about it from: http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

When Trojan.ByteVerify is executed, it performs the following actions:


Escapes the sandbox restrictions, using Blackbox.class, by doing the following:

Declares a new PermissionDataSet with setFullyTrusted set to TRUE.
Creates a trusted PermissionSet.
Sets permission to PermissionSet by creating its own URLClassLoader class, derived from the VerifierBug.class.


Loads Beyond.class using the URLClassLoader from Blackbox.class.


Gains unrestricted rights on the local machine by invoking the .assertPermission method of the PolicyEngine class in Beyond.class.


Opens the Web page, http://www.clavus.net/lst.backs, and parses the text that this site displays.

For example, SP|www.ewebsearch.net/sp.htm means that the Internet Explorer Start Page will be set up to www.ewebsearch.net/sp.htm


Several pornographic links are added into the favorites.


May attempt to retrieve dialer programs and install them on the infected computer. The dialer programs may attempt to connect the infected computer to pornographic Web sites.


Trojan.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code. The file will likely exist as VerifierBug.Class. For example, an attacker could create a .html file that uses the Trojan, and then create a script file that will perform other actions, such as setting the Internet Explorer Start Page.
Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.
CattleRustler
Retired Moderator
21
Years of Service
User Offline
Joined: 8th Aug 2003
Location: case modding at overclock.net
Posted: 4th Jan 2004 21:51
sick.

-RUST-

VB.NET makes me all goose-pimply! http://www.mod2software.com
the_winch
21
Years of Service
User Offline
Joined: 1st Feb 2003
Location: Oxford, UK
Posted: 4th Jan 2004 22:25
I hope you didn't trust them with your credit card info

dbpro : 2ghz p4m : 512mb : geforce 4 4200 go
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 4th Jan 2004 22:25
The only trojan I ever had was, on second thought I won't finish that sentence. Kids are present.
But I did have subseven before, that was fun. And when win2k came out, the server couldn't run on it, but the client could. Meaning I couldn't be infected from it at the time, but I could control it from mine. That was fun.
DK_
20
Years of Service
User Offline
Joined: 4th Jan 2004
Location:
Posted: 5th Jan 2004 00:45 Edited at: 5th Jan 2004 00:46
I changed my name from Phoenix4 to Phoenix5002
Ok. I have found a .dll on my comp that does all the work of this virus that I listed at the top. It is called

mshp.dll

it is located at:

C:WINDOWS

I can't get rid of it. If I delete it it is gone, but as soon as I open internet explorer again the file suddenly comes back. Is there a way to be completely rid of this file, or to somehow detect what keeps putting it back?
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 5th Jan 2004 01:04
you could try deleting it, then set the folder to "read-only". that might stop it at least for a bit.


Team EOD :: Programmer/Storyboard Assistant
DK_
20
Years of Service
User Offline
Joined: 4th Jan 2004
Location:
Posted: 5th Jan 2004 01:25
That doesn't work HZence. It won't allow me to do it to certain files in that folder and

mshp.dll

is one of them
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 5th Jan 2004 01:41
make a system boot disk and delete that DLL. I had someting similar when I caught something called a transponder.
If you want to feel safer about it copy it to the floppy then delete it off your system in case its a required file.
DK_
20
Years of Service
User Offline
Joined: 4th Jan 2004
Location:
Posted: 5th Jan 2004 01:46
But when I delete the DLL it doesn't come back until I open internet exploerer which is why I think that There is a file somewhere that runs ever time internet explorer does and if the DLL doesn't exist it recreates it. So I think my best bet is to somehow track down what file is makeing that dang DLL every time I delete it.
Rob K
Retired Moderator
22
Years of Service
User Offline
Joined: 10th Sep 2002
Location: Surrey, United Kingdom
Posted: 5th Jan 2004 02:57
They always say that prevention is better than cure, so follow these steps to avoid catching nasty viruses:

1. Install a decent anti-virus program, eg: Norton AV
2. Install a firewall - this disables most trojans, or at least alerts you to their presence. Set your firewall to scan in and outgoing email (it will do this by default)
3. Don't use Internet Explorer as a web browser
4. Don't use Outlook as an email client
5. If you have any fairly inexperienced users using the PC, take 5 minutes to teach them about internet security. (In my case this was simple - if a program asks to access the internet, and you don't know what it is, click NO. Don't click the blue E, click the Red dragon instead)


BlueGUI Plugin:http://blue.robert-knight.net / BlueIDE http://blueide.sf.net-Free Replacement editor for DBPro
malikm
20
Years of Service
User Offline
Joined: 4th Jan 2004
Location: United States
Posted: 5th Jan 2004 03:08
trojans aren't the easiest of the viruses to get rid of. i suggest norton...that seems to help a lot. if a virus does get through the firewalls, i know how to get rid of em'!!!

9 out of the 10 voices in my head say i'm perfectly sane.
DK_
20
Years of Service
User Offline
Joined: 4th Jan 2004
Location:
Posted: 6th Jan 2004 18:18
I have found out a few new things sinse my last post. It's probably nothing but I found two new files called zonedoff and zonedon and the are regedit files.
zonedoff contains this:



and zonedon contains this:



I am just wondering if I should be worried about this.
the_winch
21
Years of Service
User Offline
Joined: 1st Feb 2003
Location: Oxford, UK
Posted: 6th Jan 2004 19:38
Proberly time for a format if you can't get rid of it, then take more care in the future.

dbpro : 2ghz p4m : 512mb : geforce 4 4200 go
DK_
20
Years of Service
User Offline
Joined: 4th Jan 2004
Location:
Posted: 6th Jan 2004 22:53
Thank you sooo much for all of your help!!
It's been about four days since I contracted this virus and I just couldn't take it anymore so I finally did a format and I am now Virus FREE!!
It was a pain in the rear though but I can finally rest at ease now.

Login to post a reply

Server time is: 2024-11-24 14:11:13
Your offset time is: 2024-11-24 14:11:13