Closed Bug 288025 Opened 20 years ago Closed 20 years ago

Trojan Horse installed when page loads


(Firefox :: Security, defect)

Windows XP
Not set





(Reporter: lukenickerson, Assigned: dveditz)


User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Beyond.class trojan horse gets installed when the user simply loads the page.
Here's the info from Norton AntiVirus which luckily detected the trojan right
Infects: .EXE files
Likelihood: Rare
Length: 1234 bytes
Characteristics: Memory resistant, trigged event, size stealth, full stealth,
encrypting, polymorphic

Reproducible: Always

Steps to Reproduce:
Happens whenever you visit a particular bad website. I don't have a copy of the URL

Actual Results:  
Once i was able to see a dialog box appear for a split second as some file was
downloaded or installed somehow. The files does not show up in the Downloads
list. Luckily Norton Antivirus identifies this trojan before anything bad
happens. I'm not sure what kind of damage would be done if the trojan was not

Expected Results:  
Not downloaded/installed the trojan without some user input.
Do you have Java installed and enabled? If so, what version? (Check both by
entering about:plugins in the location bar). There are exploits going around for
older versions of Java. If yours is old go to to upgrade. If you
don't use Java you should disable it from the "Web Features" section of the
Options dialog.

If you DO use java MAKE SURE you have it set to check for updates. Java installs
a windows control panel icon that contains this option.

The only reference to Beyond.class searching Symantec's site is

That page appears to describe an older Microsoft-only java problem, but symantec
also uses trojan.byteverify to describe a more recent problem with Sun's JRE
1.4.2_05 and below; perhaps a variant of the older one was modified to load the
same attack code.

If you don't have an vulnerable version of Java or have it turned off did the
warning message say the infected file was in a path with the word "Cache" in it?
The cache is just temporary local storage of web content for processing. If
that's the only place the exploit was found then you merely encountered it on
the web, you were not infected. You will probably see occassional warnings for
IE-only exploits in the cache as well. Check the link Symantec gives you to see
if you are vulnerable, and if not take it as a warning that you should avoid
those spots on the web.

Rather than close this invalid (it's Sun's bug) I'll dupe this to the
counter-measures bug

*** This bug has been marked as a duplicate of 271559 ***
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.