288025 - Trojan Horse installed when page loads

Status: RESOLVED DUPLICATE of bug 271559

(Firefox :: Security, defect)

Description

[lukenickerson]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Beyond.class trojan horse gets installed when the user simply loads the page.
Here's the info from Norton AntiVirus which luckily detected the trojan right
away...
Infects: .EXE files
Likelihood: Rare
Length: 1234 bytes
Characteristics: Memory resistant, trigged event, size stealth, full stealth,
encrypting, polymorphic

Reproducible: Always

Steps to Reproduce:
Happens whenever you visit a particular bad website. I don't have a copy of the URL

Actual Results:  
Once i was able to see a dialog box appear for a split second as some file was
downloaded or installed somehow. The files does not show up in the Downloads
list. Luckily Norton Antivirus identifies this trojan before anything bad
happens. I'm not sure what kind of damage would be done if the trojan was not
caught.

Expected Results:  
Not downloaded/installed the trojan without some user input.

Comment 1

[Daniel Veditz [:dveditz]]

Do you have Java installed and enabled? If so, what version? (Check both by
entering about:plugins in the location bar). There are exploits going around for
older versions of Java. If yours is old go to http://java.com to upgrade. If you
don't use Java you should disable it from the "Web Features" section of the
Options dialog.

If you DO use java MAKE SURE you have it set to check for updates. Java installs
a windows control panel icon that contains this option.

The only reference to Beyond.class searching Symantec's site is
http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

That page appears to describe an older Microsoft-only java problem, but symantec
also uses trojan.byteverify to describe a more recent problem with Sun's JRE
1.4.2_05 and below; perhaps a variant of the older one was modified to load the
same attack code.

If you don't have an vulnerable version of Java or have it turned off did the
warning message say the infected file was in a path with the word "Cache" in it?
The cache is just temporary local storage of web content for processing. If
that's the only place the exploit was found then you merely encountered it on
the web, you were not infected. You will probably see occassional warnings for
IE-only exploits in the cache as well. Check the link Symantec gives you to see
if you are vulnerable, and if not take it as a warning that you should avoid
those spots on the web.

Rather than close this invalid (it's Sun's bug) I'll dupe this to the
counter-measures bug

*** This bug has been marked as a duplicate of 271559 ***