Java:Jade-B [Heur] What is this?

[phzombie]

I ran an Avast! full-system scan tonight and no threat was found. However, I ran a boot-time scan right after that and Avast! picked up a virus called Java:Jade-B [Heur]. I wasn't sure what to do so I moved it to the Virus Chest... However, I'm not sure what action to take now. I've never heard of the virus and didn't find anything when I Googled it. Furthermore, I'm not sure how I got the virus or why it was only detected with the Boot-time scan. Help?

[Pondus]

Looks as detection for that bug was released today....it is also a Heuristic detection, bigger chance for being a FP
so you should test the file at VirusTotal and post the result

Where was it found c:\......\......  ?

18.12.2010 - 101218-0

Java:Jade-A [Heur], Java:Jade-B [Heur], Java:Jade-C [Heur], VBS:Agent-HY [Trj], Win32:Agent-AMNK [Trj], Win32:Alureon-MW [Rtk], Win32:Alureon-MX [Rtk], Win32:Alureon-MY [Rtk], Win32:BackDoor-VD [Trj], Win32:Backmon [Rtk], Win32:BadJoke-Q [Joke], Win32:Bancos-BNR [Spy], Win32:Bancos-BNS [Spy], Win32:Banker-HCG [Spy], Win32:Banker-HCH [Trj], Win32:Bifrose-EUQ [Trj], Win32:Crypt-IFA [Drp], Win32:Crypt-IFB [Drp], Win32:Crypt-IFC [Drp], Win32:Crypt-IFD [Drp], Win32:Cutwail-AP [Rtk], Win32:Delf-NZH [Trj], Win32:Dipwit [Trj], Win32:Dipwit-B [Trj], Win32:Dipwit-C [Trj], Win32:Dipwit-D [Trj], Win32:Dipwit-E [Trj], Win32:Dipwit-F [Trj], Win32:Downloader-FAZ [Trj], Win32:Downloader-FBA [Trj], Win32:Downloader-FBB [Trj], Win32:Downloader-FBC [Trj], Win32:Dropper-EOH [Trj], Win32:Dropper-EOI [Trj], Win32:Dropper-EOJ [Trj], Win32:FakeSysdef-F [Trj], Win32:FraudTool-RZ [Trj], Win32:FraudTool-SA [Trj], Win32:Hiloti-W [Trj], Win32:Hiloti-X [Trj], Win32:Injector-YU [Trj], Win32:KeyLogger-ARQ [Spy], Win32:OnLineGames-FVP [Cryp], Win32:Patched-TI [Trj], Win32:Qbot [Trj], Win32:Ransom-CH [Trj], Win32:Rbot-GQH [Wrm], Win32:Regrun-DQ [Trj], Win32:Renos-RN [Trj], Win32:VB-QOZ [Trj], Win32:VB-QPA [Trj]

[iRonzel]

Hi phzombie, welcome to the forum

Please, send the sample detected to avast! Virus Lab, it can be a "possible false positive" or can be a real threat.

Open avast! UI, choose the Maintenance tab and then go to Virus Chest. Select the file, right click it and then upload.

Cordially,


Llanziel

[Lisandro]

I can only say that [Heur] is Heuristic module.
Probably the boot time scanning run deeper that your usual scanning.

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

[phzombie]

Looks as detection for that bug was released today....it is also a Heuristic detection, bigger chance for being a FP
so you should test the file at VirusTotal and post the result

Where was it found c:\......\......  ?

18.12.2010 - 101218-0

Java:Jade-A [Heur], Java:Jade-B [Heur], Java:Jade-C [Heur], VBS:Agent-HY [Trj], Win32:Agent-AMNK [Trj], Win32:Alureon-MW [Rtk], Win32:Alureon-MX [Rtk], Win32:Alureon-MY [Rtk], Win32:BackDoor-VD [Trj], Win32:Backmon [Rtk], Win32:BadJoke-Q [Joke], Win32:Bancos-BNR [Spy], Win32:Bancos-BNS [Spy], Win32:Banker-HCG [Spy], Win32:Banker-HCH [Trj], Win32:Bifrose-EUQ [Trj], Win32:Crypt-IFA [Drp], Win32:Crypt-IFB [Drp], Win32:Crypt-IFC [Drp], Win32:Crypt-IFD [Drp], Win32:Cutwail-AP [Rtk], Win32:Delf-NZH [Trj], Win32:Dipwit [Trj], Win32:Dipwit-B [Trj], Win32:Dipwit-C [Trj], Win32:Dipwit-D [Trj], Win32:Dipwit-E [Trj], Win32:Dipwit-F [Trj], Win32:Downloader-FAZ [Trj], Win32:Downloader-FBA [Trj], Win32:Downloader-FBB [Trj], Win32:Downloader-FBC [Trj], Win32:Dropper-EOH [Trj], Win32:Dropper-EOI [Trj], Win32:Dropper-EOJ [Trj], Win32:FakeSysdef-F [Trj], Win32:FraudTool-RZ [Trj], Win32:FraudTool-SA [Trj], Win32:Hiloti-W [Trj], Win32:Hiloti-X [Trj], Win32:Injector-YU [Trj], Win32:KeyLogger-ARQ [Spy], Win32:OnLineGames-FVP [Cryp], Win32:Patched-TI [Trj], Win32:Qbot [Trj], Win32:Ransom-CH [Trj], Win32:Rbot-GQH [Wrm], Win32:Regrun-DQ [Trj], Win32:Renos-RN [Trj], Win32:VB-QOZ [Trj], Win32:VB-QPA [Trj]

I'm sorry, I misunderstood. The location of the file is C:\Users\Myusername\AppData\LocalLow\Sun\JavaDeployment\cache\6.0

[phzombie]

Hi phzombie, welcome to the forum

Please, send the sample detected to avast! Virus Lab, it can be a "possible false positive" or can be a real threat.

Open avast! UI, choose the Maintenance tab and then go to Virus Chest. Select the file, right click it and then upload.

Cordially,


Llanziel

I've sent it to the Virus Lab, thank you.

[phzombie]

I'm still not really sure what to do... Can I delete it from my virus chest?

[DavidR]

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

[phzombie]

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

All right. I'm just nervous because I've never had a virus before! Apparently it was in the Java cache folder. Should I be worried about these types of files? The file is named Tuvvoaerffb.class. How do those get infected, and what's a good way to avoid future infection?

[DavidR]

Things found in the java cache folder, class stuff makes me think of JAVA exploits and not having an up to date version of JAVA.

I don't know what JAVA version you have so I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

[Pondus]

The file is named Tuvvoaerffb.class.

Searching the " Tuvvoaerffb.class " gives tree hits on ThreatExpert

http://www.threatexpert.com/report.aspx?md5=e934af8a5c7d05815e0540d4386169b6
http://www.threatexpert.com/report.aspx?md5=18a510b4fb639b5dd7cb656a128f5228
http://www.threatexpert.com/report.aspx?md5=3092e0784a0466deeab807691d72b488

and you find the file searced under " File system modification " as #8

and the files that dropped these are this

VirusTotal
http://www.virustotal.com/file-scan/report.html?id=c2e47f6dc73f7c96a8794ba8c65ee97f0f81734c70e4bb4ea53ec9bcdf49c435-1291911257
http://www.virustotal.com/file-scan/report.html?id=5daaefc7a9357d96a1e3c8470fbf4d32a61109dba73e27186bb47a421f9c51bd-1291647864
http://www.virustotal.com/file-scan/report.html?id=89e28b0214b2bb704dd70e4cba0332370f6a795f2a2aa171485517ad03d7ab35-1288274340

[phzombie]

Well, the virus is in the chest, and I downloaded the latest version of Java. I also did another boot-time scan and it was clean. Hopefully some more information about this issue is made available soon. Thanks for all your help!

[DavidR]

You're welcome.

Though detailed information on this type of Heuristic detection isn't likely, that is the nature of heuristics. But as I said, stuff relating to .class is almost always related to out of date JAVA versions and attempts to exploit a vulnerability in the old version.

Personally I don't go hunting for what it might do if it has been detected and in the chest it can't do any harm. The fact that these files are usually located in the java cache, they are temporary, so their loss (move to the chest, etc.) shouldn't have any lasting impact.

[kovac]

The Java:Jade-* is a new heuristic detection we recently added. It is mainly aimed against popular exploits in java. If you encounter detections on files which you think are clean, please submit them to Virus Lab so we can investigate further. Thanks.

[Asyn]

The Java:Jade-* is a new heuristic detection we recently added. It is mainly aimed against popular exploits in java. If you encounter detections on files which you think are clean, please submit them to Virus Lab so we can investigate further. Thanks.

Thanks for the info, kovac..! Welcome to the forum..!!!
asyn