Der.Reisende

Level 37
Content Creator
Trusted
Malware Hunter
Verified
Had so far good experience with Panda handling those .jar's, but neverthless, they are scary. I don't believe it's enough to run ANY antivirus solution alone on Windows, it's just matter of time until something gets past, adding NVT OSArmor near-perfectly fill those open holes. You can do further investigation if you want so, if I recall correctly it was this one. Still, Java shouldn't be installed on user's system if not used by any program.


There are still people who join Malwaretips stating that they test malware on host systems, It's crazy, it's not testing, it's zerro responsobilities for your actions.
Those Adwinds are quite common, they appear on Hybrid quite often, some days more, some days less.
They will not only drop lot's of .vbs which might carry out actions described below, but javaw.exe also will end up in AutoRuns linking to a dropped .jar (somewhere in AppData/Roaming as far as I remember).

Not sure if all .jar variants have the ability, but some of which we had in the Malware HUB in the past did not only set up multiple remote connections (via javaw.exe), will target quite a bunch of Anti-Malware / Anti-Virus softwares and try to disable (Malwarebytes, Windows Defender, BullGuard - last one was completely unusable when I ran a few few tests against, and with such malware in the pack). You will notice by the registry hijack entries shown in HitmanPro / Norton Power Eraser.

It's interesting that some vendors manage to detect the dropped .vbs, like as if they are recycled, but do nothing when you first launch the .jar.
From the vendors I tried, I know Q360 will manage to clean up the infection but not stop it in first place, F-Secure will instantly block via DeepGuard (or BD signatures). Kaspersky will for sure block it instantly (ask @harlan4096).

Not sure about Tencent, they have BD signatures, so most of the time the .jar is detected by signatures, might clean up like @ Q360.
Norton does detect some of the malware, but will have the registry hijacked and the .jar being active in memory, AutoRun and calling out.
BullGuard: Cannot tell about, when I tested it half an year ago or more, it was shut down by the RAT.
Judging from my experiences 3 months or more ago, QuickHeal will act like Norton.

Many firewalls have the javaw.exe process whitelisted, so they won't alert when it calls out (it might be used for legit services, too).

Watch that .jar, I bet it will stay low detected for days.

Had so far good experience with Panda handling those .jar's, but neverthless, they are scary. I don't believe it's enough to run ANY antivirus solution alone on Windows, it's just matter of time until something gets past, adding NVT OSArmor near-perfectly fill those open holes. You can do further investigation if you want so, if I recall correctly it was this one. Still, Java shouldn't be installed on user's system if not used by any program.


There are still people who join Malwaretips stating that they test malware on host systems, It's crazy, it's not testing, it's zerro responsobilities for your actions.
Have not been able to say this enough in the last couple years.

As well as keeping the Guest fully Isolated from the host, i never tested unless i had the full arsenal of monitoring tools engaged while doing so, as many can be used as quick kill switches such as Process Explorer and TCPview. I certainly never test outside of a VM environment, and absolutely check into the sample to learn of what it does before proceeding to launch them. This also makes monitoring of the system easier knowing what/where the sample will effect the system.

Many believe testing is a quick, slap it in the VM type of thing, and this is far from the truth, to do it properly is very time consuming, most of this time spent in preparation and research, the rest of it spent in monitoring.
Agree, VM (+VPN!!!) is probably the best call, because of full isolation of personal data.
Easy to set up (you can find good guides via Google), easy to restore.

Would not keep a lot of personal data on the host either, you don't know if a malware manages it's way there, either out of VM or trough the net.
Even more if I use ShadowDefender (me likes it better than an VM, too).

How does Comodo do against these java buggers?
I have one machine with java installed, it has Windows Defender + Comodo Firewall, Proactive config with both HIPS and Autosandbox enabled.
It will probably sandbox it completely, and it might not be able to do any harm outside the sandbox.
Maybe @cruelsister can help?
Not sure what happens if you use it in stock settings (haven't used it for some time, so I cannot tell), if it allows javaw.exe outside containment, AFAIK it has a big list of trusted vendors, Oracle is for sure one of them.
 
Last edited:

shmu26

Level 72
Content Creator
Trusted
Verified
Those Adwinds are quite common, they appear on Hybrid quite often, some days more, some days less.
They will not drop lot's of .vbs which might carry out actions described below, but javaw.exe will end up in AutoRuns linking to a dropped .jar (somewhere in AppData/Roaming as far as I remember).

Not sure if all .jar variants have the ability, but some of which we had in the Malware HUB in the past did not only set up multiple remote connections (via javaw.exe), will target quite a bunch of Anti-Malware / Anti-Virus softwares and try to disable (Malwarebytes, Windows Defender, BullGuard - last one was completely unusable when I ran a few few tests against, and with such malware in the pack). You will notice by the registry hijack entries shown in HitmanPro / Norton Power Eraser.

It's interesting that some vendors manage to detect the dropped .vbs, like as if they are recycled, but do nothing when you first launch the .jar.
From the vendors I tried, I know Q360 will manage to clean up the infection but not stop it in first place, F-Secure will instantly block via DeepGuard (or BD signatures). Kaspersky will for sure block it instantly (ask @harlan4096).

Not sure about Tencent, they have BD signatures, so most of the time the .jar is detected by signatures, might clean up like @ Q360.
Norton does detect some of the malware, but will have the registry hijacked and the .jar being active in memory, AutoRun and calling out.
BullGuard: Cannot tell about, when I tested it half an year ago or more, it was shut down by the RAT.
Judging from my experiences 3 months or more ago, QuickHeal will act like Norton.

Many firewalls have the javaw.exe process whitelisted, so they won't alert when it calls out (it might be used for legit services, too).

Watch that .jar, I bet it will stay low detected for days.



Agree, VM (+VPN!!!) is probably the best call, because of full isolation of personal data.
Easy to set up (you can find good guides via Google), easy to restore.

Would not keep a lot of personal data on the host either, you don't know if a malware manages it's way there, either out of VM or trough the net.
Even more if I use ShadowDefender (me likes it better than an VM, too).


It will probably sandbox it completely, and it might not be able to do any harm outside the sandbox.
Maybe @cruelsister can help?
Not sure what happens if you use it in stock settings (haven't used it for some time, so I cannot tell), if it allows javaw.exe outside containment, AFAIK it has a big list of trusted vendors, Oracle is for sure one of them.
Thanks