New discovered JAVA virus ?

[Wim Hamhuis]

With chatting i discovered the java runtime was modified so it produced
errors (blue screen, VXD error) it worked before fine.
Installing the fresh java runtime again solved the problem. But could it be
virus activity ?

with friendly greetings,
Wim Hamhuis

 

[kurt wismer]

With chatting i discovered the java runtime was modified so it produced
errors (blue screen, VXD error) it worked before fine.
Installing the fresh java runtime again solved the problem. But could it be
virus activity ?

it could be magical java death rays from mars, but it's more likely
that it simply became corrupted...

 

[Wim Hamhuis]

it could be magical java death rays from mars, but it's more likely
that it simply became corrupted...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"

You have a nice sig, and i admire your point of view, but in the mean time i
discovered the "Lovesan.F.1" worm-virus was causing this; so this was virus
activity. It's not likely these files become corrupted automatically, the
updated virusscan found the virus and deleted it. I refreshed the java
runtime with the new version AFTER getting rid of the virus and now the
problems are gone...

by the way thanks for your answer.

With friendly greetings from The Netherlands,
Wim Hamhuis
Computer repairman

 

[kurt wismer]

Wim Hamhuis wrote:



it could be magical java death rays from mars, but it's more likely
that it simply became corrupted...

[snip]

You have a nice sig, and i admire your point of view, but in the mean time i
discovered the "Lovesan.F.1" worm-virus was causing this; so this was virus
activity.

i never said it couldn't be but obviously asking here is a silly thing
to do - use an anti-virus program if you think you have a virus...

It's not likely these files become corrupted automatically, the

actually it is likely, certainly more likely than viruses disabling
it... the java runtime is, after all, just a program - it exists as a
file or set of files on your hard disk and can easily become corrupted
if the file system becomes corrupted or if the one or more of the
sectors it occupies goes bad or any number of other things happen...

when something unusual happens on your computer it is not automatically
a virus...

updated virusscan found the virus and deleted it. I refreshed the java
runtime with the new version AFTER getting rid of the virus and now the
problems are gone...

so you re-installed it...

well, i'm sorry to say that i can find no information about lovesan
affecting the java runtime so it looks like it was a purely
coincidental to the virus problem you had...

[snip]

Outgoing mail is certified Virus Free.

why do you let your scanner lie to the world?

 

[Wim Hamhuis]

when something unusual happens on your computer it is not automatically

a virus...

That's true.

so you re-installed it...

yes, after i've seen with my own eyes the virus corrupted some java files. I
rescanned my harddisk there are no bad sectors present. They were put there
because of a virus. When the virus was removed, the bad sectors went into
the digital hunting fields. I tested the harddisk thouroughly with Norton
disk doctor (even at low level) - nothing was wrong. The bootsector was
infected, with a piece of code , 4096 bytes long, sound familiar ? I think
this was a dropper of the old "@Brain" virus, which causes wrongly bad
sectors who aren't for real, using a interrupt to hide it from scanners. I
had to remove this virus manually, by replacing the bootsector with a
healthy one since this is a stealth virus, pointing with a interrupt to
another code which points to a normal bootsector somewhere else on the
harddisk. When i rewrote the bootsector, by starting with a write protected
boot disk with a healthy bootsector on it, i used the command "SYS C:" to
replace the infected bootsector.

well, i'm sorry to say that i can find no information about lovesan
affecting the java runtime so it looks like it was a purely
coincidental to the virus problem you had...

This could, or couldn't be. I hope anti-virusprograms will get advanced and
speedy eventually, by let the customer choose at install which processor and
which speed their computer has. This would install a speedy antivirus
program, fitted for the computersystem they have...

[snip]

Outgoing mail is certified Virus Free.

why do you let your scanner lie to the world?

hehehe in fact it doesn't lie, because it has a constant update function
which is very usefull .. and it's really true, some virusses can't be found
by even the best antivirusprograms. Thats why you have to : * Keep a
bootable floppy, DIRECTLY MADE when installing a <Bold> genuine </BOLD>
Windows, write protected. * Watch carefully if your windows CDROM is a
genuine, because if it's not it could contain a virus, maybe a stealth one
and then there is nothing you could do about it, because this cdrom would
continue creating virusbootfloppys, which only would be detected by healthy
systems...

With friendly greetings,
Wim Hamhuis

 

[kurt wismer]

Wim Hamhuis wrote:
[snip]

yes, after i've seen with my own eyes the virus corrupted some java files.

please describe how you verified that it was the virus that performed
the corruption... just because you also had a virus at the same time
doesn't mean it was the virus' doing...

I
rescanned my harddisk there are no bad sectors present. They were put there
because of a virus.

how do you know this?

When the virus was removed, the bad sectors went into
the digital hunting fields.

i have no idea what you mean by this...

I tested the harddisk thouroughly with Norton
disk doctor (even at low level) - nothing was wrong.

not all file corruptions will show up with ndd... not all are due to
bad sectors or filesystem corruption...

The bootsector was
infected, with a piece of code , 4096 bytes long, sound familiar ?

no, not really... you can't tell much from the size... what did your
scanner call it...

I think
this was a dropper of the old "@Brain" virus,

a dropper? a dropper wouldn't be in the bootsector...

which causes wrongly bad
sectors who aren't for real, using a interrupt to hide it from scanners. I
had to remove this virus manually, by replacing the bootsector with a
healthy one since this is a stealth virus,

stealth virus or no, booting from a known clean bootable floppy disk
would have gotten around it's protective measures...

pointing with a interrupt to
another code which points to a normal bootsector somewhere else on the
harddisk. When i rewrote the bootsector, by starting with a write protected
boot disk with a healthy bootsector on it, i used the command "SYS C:" to
replace the infected bootsector.

then it wasn't the Brain virus, as that infects the master boot record,
not the partition boot sector - sys c: replaces the partition boot
sector - fdisk /mbr replaces the master boot record...

This could, or couldn't be.

well now that you've described a whole new virus problem supposedly
caused by an unnamed bootsector infector - except that it shouldn't be
able to do anything after windows loads up... if memory serves, the old
tricks of hooking low level interrupts falls flat on it's face with
32bit OSes like windows 95 and up...

I hope anti-virusprograms will get advanced and
speedy eventually, by let the customer choose at install which processor and
which speed their computer has. This would install a speedy antivirus
program, fitted for the computersystem they have...

and that makes absolutely no sense... if they could make the software
faster, they would - there's no reason to go at any speed other than as
fast as they possibly can...

[snip]

Outgoing mail is certified Virus Free.

why do you let your scanner lie to the world?

hehehe in fact it doesn't lie, because it has a constant update function
which is very usefull ..

updates don't matter - certified virus free means they are guaranteeing
that there are no viruses present... that implies that they can detect
all viruses (otherwise they could make no such guarantee) and that was
shown to be impossible 2 decades ago...

"certified virus free" is a bald faced lie that grisoft thinks they can
get away with because most people don't know any better...

and it's really true, some virusses can't be found
by even the best antivirusprograms.

and here you display the fact that you know that "certified virus free"
is false...

 

[Wim Hamhuis]

Wim Hamhuis wrote:
[snip]

yes, after i've seen with my own eyes the virus corrupted some java

files.

please describe how you verified that it was the virus that performed
the corruption... just because you also had a virus at the same time
doesn't mean it was the virus' doing...

OK i will. I was chatting on a chatbox. Suddenly a blue screen told me there
were errors in some VXD files, used by java. I couldn't take someone private
anymore or the same error showed up. Then i decided to reinstall java. The
same error showed up, after i installed the new JAVA runtime. This looks
impossible by me that it could be caused by a faulty harddisk. Then i looked
into the install options. I saw both java runtimes were active. So it could
probably conflict. I disabled the old runtime and activated the new one.
That's were the interupt hideout appeared ; dialog box : "I/O error on int
13" . When i rebooted the computer with a healty disk, i could enter windows
and activate the new java again. This time , no error dialogbox "I/O error
on int 13" appeared. To make sure the bootsector on my harddisk is the same
as on floppy i used the command SYS C: (From a to replace it. This solved
the problem.

how do you know this?

The bad sectors were present when the virus was active. When i removed the
virus, the bad sectors did go away when i verivied the harddisk, the program
repaired them.

not all file corruptions will show up with ndd... not all are due to
bad sectors or filesystem corruption...

exactly. sometimes it can be caused by a computer virus.

no, not really... you can't tell much from the size... what did your
scanner call it...
@Brain.


a dropper? a dropper wouldn't be in the bootsector...

Well a dropper is in its kind a program which could release a number of
different computervirusses. So theoretically it's possible to have a dropper
with a bootsectorvirus inside. But this is very difficult to program i
think. They had to hide themselves from any antivirusprogramdetection i
guess.

stealth virus or no, booting from a known clean bootable floppy disk
would have gotten around it's protective measures...

Thats not entirely true. The BIOS system could cause the computer to still
boot from C even if a floppy is present in the floppydrive. But when this
happens the floppy is write protected. Then you have to go inside the BIOS
and set the bootfunction correctly to first A: then C: then CDROM. Then you
choose "save and exit". Then the computer reads the bootsector from your
write protected floppy disk there is no way around for a
computer(bootsector)virus this way.

then it wasn't the Brain virus, as that infects the master boot record,
not the partition boot sector - sys c: replaces the partition boot
sector - fdisk /mbr replaces the master boot record...

It could have been a different one, anyway i did get disposed of it.

well now that you've described a whole new virus problem supposedly
caused by an unnamed bootsector infector - except that it shouldn't be
able to do anything after windows loads up... if memory serves, the old
tricks of hooking low level interrupts falls flat on it's face with
32bit OSes like windows 95 and up...

That's true. I am glad i managed this computervirus to stop spreading any
further.

and that makes absolutely no sense... if they could make the software
faster, they would - there's no reason to go at any speed other than as
fast as they possibly can...

Well , the big antivirusvendors sell loggy antivirusprograms who are in fact
very slow if they do not meet the system requirements. When you can program
your own systemrequirements you can cause the installer to install a program
which is special written for your processor. This should run a lot faster
and work a lot more accurate.

[snip]
Outgoing mail is certified Virus Free.

why do you let your scanner lie to the world?

hehehe in fact it doesn't lie, because it has a constant update function
which is very usefull ..

updates don't matter - certified virus free means they are guaranteeing
that there are no viruses present... that implies that they can detect
all viruses (otherwise they could make no such guarantee) and that was
shown to be impossible 2 decades ago...

Well the certificate only means the time between the newest discovered
virus. It didn't mention the new programmed undiscovered computervirusses.

"certified virus free" is a bald faced lie that grisoft thinks they can
get away with because most people don't know any better...

Maybe it's just a way to keep the people from complaining all the time too
much when you are right when someone see their computer is acting weird when
it's no computervirus. Sure programmers from antivirus companies do their
best to protect their costomers from new computervirusses all the time.
Shouldn't we be thankfull ? I had once the antivirus program really caught a
computervirus. The computervirus became immediately out of function and the
program removed the computervirus, so these antivirus computerprograms are
very usefull.

and here you display the fact that you know that "certified virus free"
is false...

Only when the period on the certificate expires when a new threat is
discovered.. you know you have to update regulary to keep new programmed
computervirusses from your computer.

By the way, thanks for your reply.

Wim Hamhuis

 

[kurt wismer]

Wim Hamhuis wrote: [snip]

yes, after i've seen with my own eyes the virus corrupted some java
files.

please describe how you verified that it was the virus that performed
the corruption... just because you also had a virus at the same time
doesn't mean it was the virus' doing...

OK i will. I was chatting on a chatbox. Suddenly a blue screen told me there
were errors in some VXD files, used by java. I couldn't take someone private
anymore or the same error showed up. Then i decided to reinstall java. The
same error showed up, after i installed the new JAVA runtime. This looks
impossible by me that it could be caused by a faulty harddisk. Then i looked
into the install options. I saw both java runtimes were active. So it could
probably conflict. I disabled the old runtime and activated the new one.
That's were the interupt hideout appeared ; dialog box : "I/O error on int
13" . When i rebooted the computer with a healty disk, i could enter windows
and activate the new java again. This time , no error dialogbox "I/O error
on int 13" appeared. To make sure the bootsector on my harddisk is the same
as on floppy i used the command SYS C: (From a to replace it. This solved
the problem.

i fail to see how you came to the conclusion that the virus caused the
corruption...your description doesn't even establish the presence of a
virus in your partition boot sector...

so far as i can see you had a corruption in the java runtime so you
installed it again but didn't uninstall the previous instance so you
encountered a conflict between them when you tried to disable one and
enable the other but after rebooting from a clean floppy it was fine -
no indication if it would have been fine after a normal reboot or if
the problem would have been there if you'd uninstalled the previous
instance of the java runtime first (like you're supposed to)...

The bad sectors were present when the virus was active. When i removed the
virus, the bad sectors did go away when i verivied the harddisk, the program
repaired them.

so you say - but so far i'm not inclined to trust your diagnostics...

exactly. sometimes it can be caused by a computer virus.

and sometimes it's just bit-rot...

@Brain.

which is an mbr infector...

Well a dropper is in its kind a program which could release a number of
different computervirusses. So theoretically it's possible to have a dropper
with a bootsectorvirus inside.

please re-read - it's possible to have a boot sector in a dropper, but
not nearly as likely to have a dropper in a boot sector... especially
not on your hard disk (you would have had to put it there yourself)...

But this is very difficult to program i
think. They had to hide themselves from any antivirusprogramdetection i
guess.

sure, but how did it get in your *boot sector*? it's not like you can
choose "save as" and select the boot sector as a location when your
downloading junk from the internet...

Thats not entirely true. The BIOS system could cause the computer to still
boot from C even if a floppy is present in the floppydrive.

please re-read - if you boot from a floppy then you are booting from
the floppy, not from the hard disk... i didn't say attempting to boot
from the floppy... part of booting from the floppy involves verifying
that the floppy drive is the first drive in the boot sequence in your
bios...

[snip]

It could have been a different one, anyway i did get disposed of it.

so then you have 3 different viruses? you said lovesan at first, but it
wasn't that one - then you said brain except the cleaning method you
described wouldn't have cleaned the brain virus, and now you think
there was some 3rd virus that apparently your scanner didn't detect
(hey, nobody is writing boot sector viruses anymore - if you had a
partition boot sector infector it would have to be pretty old and if
your scanner didn't detect it then your scanner is junk)...

[snip]

Well , the big antivirusvendors sell loggy antivirusprograms who are in fact
very slow if they do not meet the system requirements. When you can program
your own systemrequirements you can cause the installer to install a program
which is special written for your processor. This should run a lot faster
and work a lot more accurate.

you still aren't getting it - the only way to make the programs run
faster is to make them do less work... and when we're talking about
scanning engines that necessarily means that it will catch fewer
viruses...

[snip]

Outgoing mail is certified Virus Free.

why do you let your scanner lie to the world?

hehehe in fact it doesn't lie, because it has a constant update function
which is very usefull ..

updates don't matter - certified virus free means they are guaranteeing
that there are no viruses present... that implies that they can detect
all viruses (otherwise they could make no such guarantee) and that was
shown to be impossible 2 decades ago...

Well the certificate only means the time between the newest discovered
virus. It didn't mention the new programmed undiscovered computervirusses.

no, the certified means nothing on it's own - you have to take it with
the "Virus Free" context and no program can honestly say something is
"Virus Free"...

Maybe it's just a way to keep the people from complaining all the time too
much

no, it's false advertising...

 

[Wim Hamhuis]

Snip

i fail to see how you came to the conclusion that the virus caused the
corruption...your description doesn't even establish the presence of a
virus in your partition boot sector...

When a virus is "stealth" it hides. That's why. When i'm chatting normally
everything works. No errors should popup, and no files can be corrupted when
there is nothing that corrupts them, i suppose.

so far as i can see you had a corruption in the java runtime so you
installed it again but didn't uninstall the previous instance so you
encountered a conflict between them when you tried to disable one and
enable the other but after rebooting from a clean floppy it was fine -
no indication if it would have been fine after a normal reboot or if
the problem would have been there if you'd uninstalled the previous
instance of the java runtime first (like you're supposed to)...

Ofcourse i did. I deactivated the old runtime and activated the new one. I
uninstalled the old one, AFTER i detected the strange errors. What allso can
be possible is that someone (a hacker) messed my computer. Then the cause
wasn't a virus, but the result was.

Snip.

so you say - but so far i'm not inclined to trust your diagnostics...

I'm a trustfull person. I live in The Netherlands. My name is Wim Hamhuis. I
hate lies.

and sometimes it's just bit-rot...

That's true, but do you *really* think a brand new harddisk could suddenly
produce SO MUCH bad sectors ? After all when i removed the virus, the bad
sectors were gone when i removed them with disk doctor and i do not have
problems now. I saved several large files, verified them and do not have any
problems anymore, deleted them, emptied the waste-basket and did it again to
make sure the same space on the harddisk is used, and there are no present
problems (anymore).

which is an mbr infector...

When using the SYS command, the system is transferred. That's IO.SYS,
MSDOS.SYS and COMMAND.COM (on some old version) MBR replaces the partition
table, but SYS doesn't. OK you helped, the scanner did detect it again. With
fdisk/MBR it's gone definitely. Damn those virusses. Luckily fdisk /mbr
doesn't delete all your data.

please re-read - it's possible to have a boot sector in a dropper, but
not nearly as likely to have a dropper in a boot sector... especially
not on your hard disk (you would have had to put it there yourself)...

it's not what i ment. i ment a bootsector virus inside a dropper.
Programming a dropper inside a bootsector nah... don't even know the way to
do this ;-)) hahahaha

sure, but how did it get in your *boot sector*? it's not like you can
choose "save as" and select the boot sector as a location when your
downloading junk from the internet...

true, but i know some people could have the knowledge to pull a stunt like
this in machine language.

snip.

please re-read - if you boot from a floppy then you are booting from
the floppy, not from the hard disk... i didn't say attempting to boot
from the floppy... part of booting from the floppy involves verifying
that the floppy drive is the first drive in the boot sequence in your
bios...

Well it looks like it boots from floppy when the BIOS isn't setup right.
That's what i ment. Then ofcourse there is the auto boot feature...you know
when you put a cd inside a cdrom it starts up automatically if the settings
are right.... I perfectly understand you so we have a good and serious
conversation here. Don't let others harras you, and don't get angry.

fdisk /mbr replaces the master boot record...

so then you have 3 different viruses? you said lovesan at first, but it
wasn't that one -

Lovsan was detected, but automatically removed.

then you said brain except the cleaning method you

described wouldn't have cleaned the brain virus

It didn't , but with your info i cleaned the whole computer, thanks.

, and now you think

there was some 3rd virus that apparently your scanner didn't detect

True, because it hides with interupthelp. Nothing, even the modern
antivirusprograms can detect where the bootsector should be, but when this
is misled, the real bootsector could be somewhere else.

(hey, nobody is writing boot sector viruses anymore - if you had a
partition boot sector infector it would have to be pretty old and if
your scanner didn't detect it then your scanner is junk)...

Well, example if you ask me a pen but the pen is in the drawer, i had to
open the drawer first to get the pen. I couldn't give you the pen directly
if the drawer is closed. But i'm no viruswriter. Maybe this is how they
could catch misleading interupts ?

[snip]

Well , the big antivirusvendors sell loggy antivirusprograms who are in fact
very slow if they do not meet the system requirements. When you can program
your own systemrequirements you can cause the installer to install a program
which is special written for your processor. This should run a lot faster
and work a lot more accurate.

you still aren't getting it -

this was only a suggestion to make antivirusprograms automatically fit for
the computers the program is used for. It's no use running a
antivirusprogram on a pentium1 which was written for a pentium 4. The
program would probably choke on a pentium 1, because a pentium 4 knows more
instructions a pentium 1 can't cope with.

the only way to make the programs run

faster is to make them do less work... and when we're talking about
scanning engines that necessarily means that it will catch fewer
viruses...

No. The only difference would be the instructions are right in the program
offered to the computer. That speeds it up. The processor then do not have
to cope with instructions it can do nothing with instructions which are not
present in the processor. Worst case - you get errormessages then.

[snip]

AVG shows (see end of this mail). But they forget to mention an expiration
date, and the fact they are working all the time (when neccasary)

no, it's false advertising...

Then they have to mention an expiration date in their certificate. That
would be no lie-ing anymore for them. Now everybody -updated or not- shows
the same adding in a sig. That can't possibly be true; your right !

w.f.g.
Wim Hamhuis

 

[Gabriele Neukam]

On that special day, Wim Hamhuis,
([email protected]) said...

do you *really* think a brand new harddisk could suddenly
produce SO MUCH bad sectors ?

IBM DTLA hard disk - google for these words, and you will find one of
the worst desasters IBM had ever to face.


Gabriele Neukam

(e-mail address removed)

 

[kurt wismer]

Wim Hamhuis wrote:
[snip everything]

y'know what, forget it... i'm obviously not getting through to you...

 

[Wim Hamhuis]

Wim Hamhuis wrote:
[snip everything]

y'know what, forget it... i'm obviously not getting through to you...

No you did.

and you helped me, so thanks to you ..


w.f.g.
Wim Hamhuis

 

[Wim Hamhuis]

On that special day, Wim Hamhuis,
([email protected]) said...


IBM DTLA hard disk - google for these words, and you will find one of
the worst desasters IBM had ever to face.


Gabriele Neukam

(e-mail address removed)

hehehe yes, if you just were unlucky to buy a brand new bad harddisk...
return it to the shop ! get a refund ;-))

m.v.g.
Wim Hamhuis