Re: Javasys.exe: More of the same or new?
From: Imhotep (Imhotep_at_nospam.net)
Date: 09/05/05
- Next message: Imhotep: "Re: Javasys.exe: More of the same or new?"
- Previous message: Imhotep: "Re: Hidden-code flaw in Windows renews worries over stealthly malware"
- In reply to: MaxPower: "Javasys.exe: More of the same or new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 05 Sep 2005 01:32:13 -0400
MaxPower wrote:
>
> After visiting a website I found an executable named
> \WINNT\Java\Javasys.exe running on my system.
>
> Almost immediately, ZoneAlarm told me that this Javasys.exe was trying
> to access the Internet.
>
> Just to see what would happen, I allowed it to access the Internet and
> it downloaded another executable, which triggered a Zone Alarm security
> alert:
>
> "nnnm32 is trying to set 'antivirus' to run each time your computer is
> started".
>
> Actually the name of nnnm32.exe may vary: in a few tries I saw it named
> comm.exe, ping.exe and so on.
>
> Allowed to access the Internet, nnnm32.exe downloaded a third
> executable (timer.exe) which in turn tried to access the Internet.
>
>>>From this point on, seemingly no futher change occurred in My Processes
> list within Task Manager.
>
> I then did a scan for spyware with the latest versions of all the
> following:
>
> ZoneAlarm 6 Pro
> Ad-Aware 1.06r1 Personal (free)
> SpyBot S&D 1.4
> SpySweeper 4.04
> Spyware Doctor 3.2.1.
> AntiVIR Personal 6.31 (free)
>
> but none of them found any threat (!)
>
> A couple of weeks later, after downloading an updated virus definition
> file, I scanned the system again with AntiVIR and this time it found in
> timer.exe a backdoor named BDS/Webdor.AD.1
>
>
> My configuration:
>
> - Windows 2000 Professional SP4, IE6 Security set to "medium";
> - ZoneAlarm Pro 6;
> - AntiVIR Personal Edition 6.31 (free);
> - SpyBot S&D 1.4 w/ Teatimer (resident antispyware).
>
>
> For those interested, the URL spreading this malware is the following:
>
> ***********************************************************
> DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
> http://198.88.20.158/gal/403/index.html
> ***********************************************************
>
> My question is: How can I prevent any executable to install in such an
> insidious way?
>
> With IE6 Security set to "High" this malware could not install, but of
> course I would like to keep IE6 Security set to "Medium", otherwise
> navigation is most unpractical.
>
> Thank you in advance for any advice.
I went to this site (I use linux/FreeBSD and have java off). Here is some
info for you:
The IP address range is owned by Verio. You might want to contact them about
this server:
OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@verio.net
After looking at speedslim's records it appears that this is a spoofing
site...
Imhotep
- Next message: Imhotep: "Re: Javasys.exe: More of the same or new?"
- Previous message: Imhotep: "Re: Hidden-code flaw in Windows renews worries over stealthly malware"
- In reply to: MaxPower: "Javasys.exe: More of the same or new?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
