Trojan Horse advice?

[BrianR]

I seem to have picked up a trojan horse virus. NAV found it but can't seem to delete it.

It resides in my IE5 directory and is names c.js According to the symantec website this virus is new and allows Java applets to run remotely on my computer. Anyone know how to remove this virus or plug the hole?

Brian

[MaggieL]

Maybe you could post the virus name from the page at Symantec? From what you say it sounds like a JavaScript virus; that wouldn't have anything to do with Java applets.
Or is this what you have?

http://securityresponse.symantec.com...ta/nono.a.html

[BrianR]

No, that's not it. It's name is JS.Exception.exploit

It is located at c:\windows\temporary internet files\content.ie5\opc3c101

It looks like a Java file, but I'm not too sure.

All I know is that neither NAV nor SwatIt can get rid of it.

I did delete the infected file, but I don't have a new copy so I'm going to download the whole enchilada.

I hope this fixes the problem.

Brian

[vsp]

I found this one on my dad's computer last week, when I was putting Norton Internet Security (AV + Firewall) on it.

I'm pretty sure it's a browser virus, not an email-borne virus, and as far as I know it doesn't do much worse than to monkey with your IE favorites and IE start page, often filling them with porn site listings.

There are a few components to it (my dad's infection had ten component files), which are easily deleted once you know which and where they are, and there's a registry key to clean up manually. Norton's virus encyclopedia should tell more, and point you at the MS patch file (an upgrade to the Java Virtual Machine) that'll close the hole that let the virus in in the first place.

(Browsing with IE is getting more and more annoying lately. If it's not viral issues, it's the @%^@!#! popups on every tenth site that offer to install Gator for you, some of which seem to start the install process without asking no matter what your IE Security settings are. I'm getting tired of running Ad-Aware to whac-a-mole Gator out of existence.)

[MaggieL]

Quote:

Originally posted by BrianR

I did delete the infected file, but I don't have a new copy so I'm going to download the whole enchilada.

A new copy of what? If the file in question was in Temporary Internet Content, you don't really want to replace it, that's just a cache.

Apparently this is an exploit based on security holes in IE, so you'd probably better get current on your IE patches soon, too. How this works is: the old MS Java support accidently gave Java applets the ability to create and maniplulate ActiveX programs. The big advantage Java applets have over ActiveX is that what applets can do has always been carefully controlled, but MS dropped the ball and gave their version of Java all the security problems that ActiveX has. (That's one reason you don't hear a lot about ActiveX anymore).

It's good to see MS getting burned themselves by exactly the chicanery which was the reason they lost their Java licence: insisting on putting Windows-only stuff in it in direct violation of the agreement they had with Sun.

The entry at Symantec says NAV is supposed to be able to clean this thing up...but if you don't close the hole in your IE you'll get reinfected if you go back to the site that nailed you in the first place.

[BrianR]

I never use IE. I prefer Netscape Navigator. Always have.

The kid and visitors use IE because that's all they know. I'm happy with that only because I can set "adult" bookmarks without worrying that the kid will investigate them because he doesn't know what they are. Won't bother to read the name and wouldn't understand it if he did. He'll just click into an S&M support site or something like that and embarrass me. I'm thinking of putting personal profiles onto my computer so this can't happen but there's no guarantee on those. I've seen them fail before.

You're right, Maggie. I don't need to replace Temp Int Files but I deleted a directory, not a file.
Sooner or later IE will want to put something there and there won't be there. What then? Will the directory simply be recreated or will an error occur?

Brian