is byte.verify a virus or not

[joshritger]

The past few days my symantec av has been sending me virus messages about a trojan called byte.verify. I have also scanned with trend micro housecall and the same thing comes up. Is this a real virus, i have done research on it online and some people say that it is just false virus alert. I was wandering if anyone has had a problem with this before or not, and how you fixed it if you did. This trojan or what ever it is has to do with sun's java environment. So after removing the bad files numerous times and not having luck i just uninstalled java and deleted teh directory where the virus was. Did i do the right thing, or do u think it is hiding somewhere else too.

THanks,

Josh

[insanekiwi]

http://www.google.de/search?q=byte.verify&...:De-DE:official

it's a trojan/java virus

personally i never had this one (before)

[GhostWarrior25]

I've had the virus about 4 times hehe. Windows OneCare took care of it, I didn't even know I had that virus until I looked at my quartined files.

[k22]

http://securityresponse.symantec.com/avcen...byteverify.html

Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability described in Microsoft Security Bulletin MS03-011 and could provide a hacker the ability to run arbitrary code on an infected system.

Also Known As: Exploit-ByteVerify [McAfee], Exploit.Java.Bytverify [KAV], JAVA_BYTVERIFY.A [Trend]

Type: Trojan Horse

Infection Length: various

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Trojan.ByteVerify is executed, it performs the following actions:

1. Escapes the sandbox restrictions, using Blackbox.class, by doing the following:

a. Declares a new PermissionDataSet with setFullyTrusted set to TRUE.

b. Creates a trusted PermissionSet.

c. Sets permission to PermissionSet by creating its own URLClassLoader class, derived from the VerifierBug.class.

2. Loads Beyond.class using the URLClassLoader from Blackbox.class.

3. Gains unrestricted rights on the local machine by invoking the .assertPermission method of the PolicyEngine class in Beyond.class.

4. Opens the Web page, http://www.clavus.net/lst.backs, and parses the text that this site displays.

For example, SP|www.ewebsearch.net/sp.htm means that the Internet Explorer Start Page will be set up to www.ewebsearch.net/sp.htm

5. Several pornographic links are added into the favorites.

6. May attempt to retrieve dialer programs and install them on the infected computer. The dialer programs may attempt to connect the infected computer to pornographic Web sites.

Notes:

* Trojan.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code. The file will likely exist as VerifierBug.Class. For example, an attacker could create a .html file that uses the Trojan, and then create a script file that will perform other actions, such as setting the Internet Explorer Start Page.

* Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.

So if you are patched up to date and you run antivirus you have nothing to worry about. A website that you are visiting (probably porn or warez) is probably dropping the file in hopes of infecting you...

[k22]

also, you may do well to update your java runtime environment @ http://www.java.com

[k22]

ignore