I have tried and tried repeatedly to get rid of this.. I have disabled system restore. Run NOD32 repeatedly on deep scan.. Manually deleted the files.. scanned system came out clean...

Couple days later it comes back.. I have run the recommended updates MS recommends:

http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

I've checked this site:
http://answers.google.com/answers/threadview?id=452561

I may stop using NOD32 and make the switch to Avast as I know conan and Fastgame recommend it.. :D

Have you tried any of the online scans or offline boot scans?

well i just updated my java version. I am running NOD32 again.. and will try trend micro online in the morning

I'm wondering if NOD32 has been "modified" - unless you are using Process Guard which will prevent writing to any app.

I use both Nod32 and Avast together...paranoid I am.

lots of websites with nod32 and byteverify.f in them.

It seems your not alone BB

It uses a java exploit so you might want to go to www.java.com and get the latest sun java 1.5

Tell us more info

firefox?

You are getting the trojan from an infected website or an advertiser has intentionally useing it.

this is not a main stream trojan yet and you will find this in the dark side of internet where web operators will blast you with popups that seem to go on forever.
try trojan hunter 4.2
free for 30 days. should block it from coming in.

www.trojanhunter.com

Uninstall the microsoft JVM - that is what contains the weakness - and use the proper Sun Java Runtime (latest version) from Sun microsystems. If you need a way of losing MS JVM let me know and I will enlighten you.

I got a virus via Java 1.5 beta: http://www.wilderssecurity.com/showthread.php?t=58274&highlight=java

nice and thourough investigationlynch.

I guess I need to get some antivirus. Paris Hilton camera phone websites could easily use that to lure you and get you infected.

Uninstall the microsoft JVM - that is what contains the weakness - and use the proper Sun Java Runtime (latest version) from Sun microsystems. If you need a way of losing MS JVM let me know and I will enlighten you.

Nope it's not Microsoft's Java that's the culprit. Sun Java is the one that's vulnerable to this one. I get that occassionally. I get a warning from Avast when surfing questionable sites. You have to do a manual scan after you receive the warning. I just scan the "Documents and Settings" folder and then Avast removes it.

MS JVM has always had ByteVerify vulnerabilities. From Microsoft website -
All builds of the Microsoft VM up to and including build 5.0.3809 are affected by these vulnerabilities
As far as your AV goes it does not matter which program you are using - if you download the linked class in the page it will detect the file as infected.

post2
Should also read All future builds of the Microsoft VM are also likely to be vulnerable

post3
Why do you think BB (using MS JVM) is infected while you (using Sun) are not? On your system the code doesn't execute.

post4
Four posts in a row - is that a record?

post5
Not now - woohoo!

post 11
huh?

nice and thourough investigationlynch - hehe, I had no choice when it killed all my startups (all but one) - just glad that's all it did. **edit - wait, you mean THE "investigation" - into the "underbelly" of the web - lol

all your investigations into the underbelly of the web are belong to us ;)

Uninstall the microsoft JVM - that is what contains the weakness - and use the proper Sun Java Runtime (latest version) from Sun microsystems. If you need a way of losing MS JVM let me know and I will enlighten you.
I was using SUN's JAVA version 1.4.2 I just updated to version 1.5.. I have never installed MS's JVM... ;)

And I tried to remove it just in case I might have installed it via the windows update:

A. You might want to remove the Microsoft JVM, which Microsoft no longer supports, in favor of the more recent Sun Microsystems JVM. To remove the Microsoft JVM, perform the following steps:

1. From the Start menu, select Run.
2. Enter the command

RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall

Well I got an error when I ran that...

I dunno why I keep getting this stupid trojan.. I have patched everything from windows update.. run NOD32 constantly. I use firefox exclusively.. apart from my wife's occassional jaunt to her weblog with IE... and my Windows update with IE...

I keep NOD32 updated constantly... I might just have to make a switch to a new AV... one that does a better job at catching them as they are downloaded...

I might have to break out process guard and try a new AV.. one that can detect and remove it as I view the webpages that load it on my PC.

At home I run Avast and NOD32 together. I also have Spyware Blaster and Spyware Gaurd running actively in the background, Ad-Aware for cleaning, and just lastnight I installed the MS Anti-Spyware app, more just to see it than anything else, and mysystem stays fairly clean. Aside from the occasional accidental "odd" link that I may clink on that jumps to the dark side, I have had no problems.

I realize that I'm somewhat paranoid but it works...

Aside from the occasional accidental "odd" link that I may clink on that jumps to the dark side, I have had no problems.

I don't accidentally click on any "odd" links, I do it with good intention :p

I use Avast!, a2 (beta) trojan scanner and SpyBot S&D and my system stays clean. I get lots of ByteVerify but Avast! eats them up. I also have a Kaspersky based scanner that uses the KAV extended definitions for backup, its never found anything.

My ISP scans all the mail, between my ISP & Avast! very little chance something gets through. I'm on dial-up so I can't download lots of things, when I do download it goes to a folder and gets scanned by Avast!, a2 and the KAV scanner.

IMO spyware is the biggest threat, its never ending ! The AV company's should provide definitions for all the known spyware, trojans, worms so we don't need so many different apps.

Avast! WebShield is a big step in preventing browser infections.

Any ideas which site/s might be installing the trojan, I want to go there.

BB your first reference in your first post is to the MS JVM update. The patch is an updated MS JVM, run 'jview' at a command prompt - if you get anything then you still have MS JVM installed.

BB your first reference in your first post is to the MS JVM update. The patch is an updated MS JVM, run 'jview' at a command prompt - if you get anything then you still have MS JVM installed.

Didn't get a thing when I ran jview... so I am sure it was not installed. The first reference I posted was posted in fact after I did a google search concerning this virus.. I know I don't have MS JVM installed so now I am wondering how this virus that is known to be infecting MS JVM.. infects my PC, without me having JVM installed.. I think Conan was right in the fact that this virus can infect more than simply the MS JVM client.. it might be in fact just java itself that is the issue..

I too would love to know what site(s) cause this problem. For now I am getting AVAST, and trying that.

Sure sounds like that classloader trojan that delivered though Java (up to Java 1.5 beta) in my machine. The only thing I could do is go to online scanner and remove it - then system restore back a few days. That solved my problem.

Avast had four updates today: avast 4th update today,
VPS 0509-3, 01.03.2005
Win32:Mytob-D [Wrm]

How do you tell if you have this class loader trojan?? I do a virus scan and it comes clean... but what are the symptoms to look for? Some of my pcs have M$ java, and some have JRE??

How do you tell if you have this class loader trojan?? I do a virus scan and it comes clean... but what are the symptoms to look for? Some of my pcs have M$ java, and some have JRE??

Damage

* Payload:
o Compromises security settings: Allows unauthorized execution of arbitrary commands.

When Trojan.ByteVerify is executed, it performs the following actions:

1. Escapes the sandbox restrictions, using Blackbox.class, by doing the following:
1. Declares a new PermissionDataSet with setFullyTrusted set to TRUE.
2. Creates a trusted PermissionSet.
3. Sets permission to PermissionSet by creating its own URLClassLoader class, derived from the VerifierBug.class.

2. Loads Beyond.class using the URLClassLoader from Blackbox.class.

3. Gains unrestricted rights on the local machine by invoking the .assertPermission method of the PolicyEngine class in Beyond.class.

4. Opens the Web page, http://www.clavus.net/lst.backs, and parses the text that this site displays.

For example, SP|www.ewebsearch.net/sp.htm means that the Internet Explorer Start Page will be set up to www.ewebsearch.net/sp.htm

5. Several pornographic links are added into the favorites.

6. May attempt to retrieve dialer programs and install them on the infected computer. The dialer programs may attempt to connect the infected computer to pornographic Web sites.


Taken from the symantec site:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

so can u just do a file search for "fileName".class

I don't think so because some .class files are needed.. I used NOD32 and searched and it came up in the temp folder as being infected.

OK - anyone can and will d/l the class file which in turn will be detected by your antivirus if you are using something decent. It is irrelevant which java you are using - so far. What is interesting is that you don't have MSJVM yet it obviously ran on your system, all the references claim it is a MSJVM vulnerability. I have certainly been to plenty of these dodgy sites on the web (research purposes, ehem!) but I have never had a problem and I am on SUN java + Firefox most of the time with Blackice and a hardware firewall. By the way I just got a Watchguard Firebox SOHO and it is quite lovely. Obviously the HW firewall is of no interest in this scenario but maybe Blackice does filter out that stuff - it is after all the best and longest established Host IDS come firewall. I would also like to say that the new version of avast is brilliant and if it wasn't for the fact that I have just got GDATA Anti-Virus Kit 2005 I would be using it everywhere. AVK is lovely too but costs £24 cheap considering it has the BitDefender engine AND the Kaspersky engine, both AVK and Avast are way ahead of Norton and McAfee.

I use MS Java with IE and Sun Java 1.5 with Firefox. I've never gotten infected with this trojan/virus using IE, only Firefox.

Conan - where at?

Conan - where at?

Can't really remember the exact URL. It's from some random porn site when this usually happens.

Can't really remember the exact URL. It's from some random porn site when this usually happens.
Thats the only time I've ever seen JS Bytverify.F Trojan.

Can't really remember the exact URL. It's from some random porn site when this usually happens.
Dont lie... it was at martha stewart cooking site :p