clamav detected Java.Downloader.OpenStream.A

686plus · 04-30-2006, 11:17 PM

Hello~

I'm running FC5 with Gnome. I ran clamav with the following results:

Code:

//home/chris/.java/deployment/cache/javapi/v1.0/jar/javainstaller.jar-5aa0b436-7d48e07f.zip: Java.Downloader.OpenStream.A FOUND
LibClamAV Error: cli_untar: only standard TAR files are currently supported
LibClamAV Warning: Multipart MIME message contains no boundaries
LibClamAV Warning: Ignoring empty field in " charset="

----------- SCAN SUMMARY -----------
Known viruses: 48836
Engine version: 0.88.1
Scanned directories: 18419
Scanned files: 157213
Infected files: 1
Data scanned: 6560.12 MB
Time: 4288.509 sec (71 m 28 s)

I googled the virus and found its a Windows virus (surprise?). This is the first virus I've gotten on Linux box. Can I just delete it? Where should I go from here?

win32sux · 05-01-2006, 04:09 PM

considering that you are sure it's a windows virus (you are sure, right?), and considering it's located in your home directory, i'd say you just need to clear your ~/.java directory and you'd be set...

how'd you get this, through firefox?? to prevent this kinda stuff from getting downloaded i recommend you either disable java in your firefox or install the noscript extension so that java only works on sites you trust... http://www.noscript.net/

just my

...

PS: i did a quick google and this seems to be more like windows spyware than a virus...

win32sux · 05-01-2006, 04:10 PM

considering that you are sure it's a windows virus (you are sure, right?), and considering it's located in your home directory, i'd say you just need to clear your ~/.java directory and you'd be set...

how'd you get this, through firefox?? to prevent this kinda stuff from getting downloaded i recommend you either disable java in your firefox or install the noscript extension so that java only works on sites you trust... http://www.noscript.net/

just my

...

PS: i did a quick google and this seems to be more like windows spyware than a virus...

EDIT: sorry about the double post - i hit the submit button and waited for like 15 seconds but nothing happened so i hit it again thinking i hadn't hit it right and well here's the result... i guess the website is under heavy load and stuff, cuz even this edit is taking a huge amount of time to get through...

Emerson · 05-01-2006, 04:25 PM

I'm pretty sure it is written for MS Java and harmless with Sun Java even under Windows.

win32sux · 05-01-2006, 04:53 PM

also, it wouldn't hurt to check your ~/.bash_profile to make sure none of this is/was getting auto-loaded from there... this is in case the malware somehow found a way to break-out of the java sandbox or something like that - which is quite unlikely if you are running the latest stable version of java...

686plus · 05-02-2006, 12:32 AM

Thanks for all the responses. I've deleted ~/.java and my bash profile looks normal.

I use only firefox. Though, I admit I had been browsing some internet backwoods more than usual this week looking for some perl and php scripts and researching some political extremist groups. That was the only thing different in my usage... that could have been the issue.

Thanks for the noscripts extension tip. I had previously disabled that stuff, but a lot of browsing I do is for work and involves local government websites. They tend to be pretty poor and filled with poorly implemented junk. So I turned it back on.

As far as Java goes, after many unsuccessful attempts following the advice of others, I used Stan Finley's instructions http://stanton-finley.net/fedora_cor...otes.html#Java
That used jre 5 update 6.

Thanks again.