Closed Bug 288025 Opened 20 years ago Closed 20 years ago

Trojan Horse installed when page loads

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 271559

People

(Reporter: lukenickerson, Assigned: dveditz)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Beyond.class trojan horse gets installed when the user simply loads the page. Here's the info from Norton AntiVirus which luckily detected the trojan right away... Infects: .EXE files Likelihood: Rare Length: 1234 bytes Characteristics: Memory resistant, trigged event, size stealth, full stealth, encrypting, polymorphic Reproducible: Always Steps to Reproduce: Happens whenever you visit a particular bad website. I don't have a copy of the URL Actual Results: Once i was able to see a dialog box appear for a split second as some file was downloaded or installed somehow. The files does not show up in the Downloads list. Luckily Norton Antivirus identifies this trojan before anything bad happens. I'm not sure what kind of damage would be done if the trojan was not caught. Expected Results: Not downloaded/installed the trojan without some user input.
Do you have Java installed and enabled? If so, what version? (Check both by entering about:plugins in the location bar). There are exploits going around for older versions of Java. If yours is old go to http://java.com to upgrade. If you don't use Java you should disable it from the "Web Features" section of the Options dialog. If you DO use java MAKE SURE you have it set to check for updates. Java installs a windows control panel icon that contains this option. The only reference to Beyond.class searching Symantec's site is http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html That page appears to describe an older Microsoft-only java problem, but symantec also uses trojan.byteverify to describe a more recent problem with Sun's JRE 1.4.2_05 and below; perhaps a variant of the older one was modified to load the same attack code. If you don't have an vulnerable version of Java or have it turned off did the warning message say the infected file was in a path with the word "Cache" in it? The cache is just temporary local storage of web content for processing. If that's the only place the exploit was found then you merely encountered it on the web, you were not infected. You will probably see occassional warnings for IE-only exploits in the cache as well. Check the link Symantec gives you to see if you are vulnerable, and if not take it as a warning that you should avoid those spots on the web. Rather than close this invalid (it's Sun's bug) I'll dupe this to the counter-measures bug *** This bug has been marked as a duplicate of 271559 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.