Type
: Trojan
Category
: Java
Also known as:
Java/Beyond.Trojan, Exploit-ByteVerify (McAfee), Java/ByteVerify.Exploit.Trojan , Win32.Dltoon
Immediate Protection Info
Method of Infection
These trojans are usually executed when a vulnerable user visits a web page that contains the exploit. Variants of this trojan seen in the wild have been functionally diverse; the common factor amongst them has been the use of the ByteVerify exploit to achieve their goals.
Please note: Java/ByteVerify!exploit is not a virus, but rather a method to exploit a security vulnerability in the Microsoft Virtual Machine. This vulnerability arises as the ByteCode verifier in the Microsoft Virtual machine does not correctly check for the presence of certain malformed code when a Java applet is loaded. Attackers could exploit this vulnerability by creating malicious Java applets and inserting them into web pages. These web pages could be hosted on a site by a malicious web master, or could be sent to users as an attachment. To read more about this issue, and to download the necessary patches, please visit:
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx
Note: this detection may be triggered by merely visiting a web page that contains malicious code. It does not necessarily mean your machine has been compromised, nor that your machine is vulnerable to this particular exploit.
Back to top
Payload
Downloads and Executes Arbitrary Files
Many variants in this family contact a remote site from which they download arbitrary file(s), and then execute them. This method may be used to extend the functionality of the trojan or install additional malware.
Modifies Internet Explorer Settings
Some variants may do little more than change the user's default Internet Explorer home page and/or Search page via modifications to the registry, similar to other trojans, such as Win32/Startpage. They may also add links to the Favourites folder.
Modifies Hosts File
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts.
Certain Shinwow variants modify the contents of the hosts file, sometimes with a list that may be obtained from a remote site.
Backdoor Functionality
Some variants may download instructions for further actions from a specified site or may have limited backdoor functionality.
Analysis by Ray Roberts
Back to top
Recommendations
Removal Instructions
Virus found in the Java™ Runtime Environment, Standard Edition (JRE) cache directory
Malicious applets may be detected in the JRE cache directory by your CA antivirus solution. The default installation path for this directory can be seen below:
C:\Documents and Settings\<username>\Application Data\Sun\Java\Deployment\cache\javapi\v1. 0\jar\
These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (for more information on this vulnerability, please see Microsoft Security Bulletin MS03-011).
For more information on these malicious applets and their use, please visit the Sun Microsystems Java Technology Help Knowledgebase here: http://java.com/en/download/help/cache_virus.jsp
Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:
1. From the Start button, click Settings> Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
Back to top