DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 11 of 11

Thread: Riddle Me This? is this Malicious?

  1. #1
    Join Date
    Jan 2007
    Location
    Eastern USA
    Posts
    1

    Question Riddle Me This? is this Malicious?

    Hi to all.... (Since this is my first post here!)

    I was going through my WinXP Admin Tools "SERVICES" today and found this odd service listed:

    Service Name: JavaIFX4
    Display Name: JavaIFX4
    Description: (Empty)
    Path to Executable: C:\WINDOWS\java\JavaIFX4\services.exe
    Startup Type: Automatic
    Log On As : Local System

    I have searched Google, Microsoft, Sun, Java, etc... with No Results
    I have Up to Date AntiVirus, and have run a scan and targeted parent folder
    as well as system scan.

    System Info:
    Win XP Sp2 Media Center
    Java 1.5_10
    Microsoft.NET Framework v1.0.3705, v1.1.4322, v2.0.50727

    here is a screenshot of the Windows/Java/JavaIFX4 Folder Contents (Using Folderview)


    Other Sub-Folders in C:\Windows\Java

    JAVA (61.1 KB (62,640 bytes)
    |---classes (Empty Folder)
    |---trustlib (Empty Folder)
    |---+JavaIFX4 (Contains 5 Files "See above image" and 4 Folders)
    -------|Channels (Empty Folder)
    -------|Download (Empty Folder)
    -------|Scripts (Empty Folder)
    -------|Server (Empty Folder) (NOTE! This Folder is HIDDEN)


    I have manually added the "txt" extention to all files, just as a precaution.
    This is just a text version of the files with size and md5.

    "JavaIFX4
    \services.ini.txt","filesize=256,md5=2E2FE7DEAF303D8ADD4BC1FFFBCD2AFD"
    \mirc.ini.txt","filesize=3237,md5=63DF480132F50C2582243513AC9BAA43"
    \ifx.ini.txt","filesize=85,md5=68009812CD9C40102901474AAA2CDEB1"
    \668gapysfx8k6.ths.txt","filesize=58959,md5=EF43A8E0AE5FFB193CE6078BBA07458A"
    \services.log.txt","filesize=103,md5=F2096FB47CFA1AF12A7099F578E53766"

    Also Note, I do not use MIRC or any Other Messaging!

    Any feedback would be greatly appreciated.
    May God Bless You,
    DandyDan

  2. #2
    Join Date
    Oct 2005
    Posts
    1,819
    maybe a gender of viruses that generate a random name for themself, and this one maybe has generate the "windows subfolder name" + random=IFX4
    not all viruses could be detected by antivirus, specially if it's rare or someone sent it to u specially .. in this case this person may encrypt it by a new method that could not be detected or if he is a programmer to regenerate a new familly of it !

    otherwise maybe it's only scripts needed for some java game or application .. what do u have such a game or application that needs java ? check if it's from its resource or maybe once a time u have played an online javagame that downloaded this ??

    what about sending their container here .. don't worry about ini files they aren't dangerous at all , open them and send us here their containing maybe we can know some thing more .. generally I guess that the "services.log" contains only a four digit number .. in this case I know this trojan !

  3. #3
    Join Date
    Jan 2007
    Posts
    2

    Smile Hope this helps...

    Question: Do you visit Web sites that would give you cause to believe you have a virus or some new type of virus? Have you installed any unfamiliar software lately? As you probably know by now, some (shady) programs will install other software without your explicit consent.

    Simple Solution: Ask Sun. Afterall, it is their software. If they have never heard of this file, then you may have a problem. Did you check the creation date of the folder/files to see how long it/they have been there? You should also check to see when the last time any of those files were modified. If it is an active virus, then the last modified date will most likely be very recent.

    Not to be rude, but I wouldn't take Amahdy's comment too seriously. Seems like he/she is kind of jumping the gun a bit. I wouldn't trust any file, let alone open it, if I didn't know where it came from or how it got there in the first place. If it is some sort of virus it could just recreate the file's since you have changed the name(s). Have you checked your startup entries to see if any unfamiliar software is loading when you boot up? Just go to Start -> Run and then type in msconfig and check the startup tab. I found some references to an IFX4 on Google after I put a space in between Java and IFX4 in the folder name. The word JavaIFX4 produces no results (at least not on Google.) You might want to take a look, maybe you will come across something familiar and figure out where this mysterious folder and files came from. You should also do a search on the 668 filename, too and try to find what software, if any, the extension *.ths belongs to. (http://filext.com/)

    I hope your system isn't infected, but, then again, that's what clean installs are for. I hope this helped.

    Last edited by Demepoole; 01-15-2007 at 11:18 AM. Reason: More info added...

  4. #4
    Join Date
    Oct 2005
    Posts
    1,819
    well asking sun maybe will not solve it as I said before , maybe software that need java have installed it .. and openning "ini" files or "log" files will make nothing as they aren't executable ... okey maybe a virus set them in the registry to make them executable but in this case u need a hard work to repair the pc OR simply a good format /reinstall the os !
    about the startup issue , I think he mentioned that it's in services what's mean it's a serious program OR a smart malicious software !!
    finally as I told u before , instead of openning them just drag them into a plain notepad text , usually u will have an English wroten there , so send it here maybe we could help !

  5. #5
    Join Date
    Jan 2007
    Posts
    2

    Smile

    Dude, what are you talking about? I'm just making suggestions. I don't know what will solve anything or if there is even anything to solve.

    I saw that it was a so-called "service, but that does not mean something couldn't be hiding in runonce or run in the registry to cause that service to run somehow or just to make sure that the "service" has not been deleted.

    I also really think you should stop suggesting that people open files that they are not familiar with on THEIR (key word "THEIR") own computer if they don't want to. If he wanted to do that, then he would have already. Some people actually do have valuable data on their HDD that they would like to hold on to and not risk it on something that is easily avoidable. If you want the files that bad, just ask dwatsonsr to e-mail them to you or something. It almost seems as if you WANT dwatsonsr's system to be infected.

    Last of all, this is not a contest. Like I said earlier, I was just offering HELPFUL suggestions that WERE NOT putting dwatsonsr's system at risk.

    By the way, dwatsonsr. I do use Mirc and it is strange that there seems to be Mirc related files on your HDD if you do not use Mirc. I know there MIGHT be some Mirc add-ons that use Java scripting or applets, but what sense would it make to have an add-on installed for a program that you don't even use?

    Not to mention that the Mirc main program is installed to the program folder and not ANY folder in the windows directory. I checked my java directory and none of those files exist,that I can see, on my HDD.

    My suggestion would be to backup all your important files (hopefully you already have them stored on an external drive) and do a clean install. That's what I do when I even SUSPECT my computer is about to start going weird on me. Make sure you FORMAT that hard drive!



  6. #6
    Join Date
    Oct 2005
    Posts
    1,819

    Arrow

    Well I'm talking about what he mentioned that it exist in "services" , windows services programmes don't want a registry value at the "run" or "runone" places .. they also work once the pc is loded and not when the user log in ... I menn here services programmes not because the name is service.exe no but the knowen windows services like winlogon, messanger, networking, and many other things .. and they could be autorun/manulay/stopped ... here is the weakness u can stop them anytime -if there is not any other part that make it run again- but he mentioned that this file is set to run automatically so once he load the windows this prgram run before he logon too .

    usually hackers doesn't prefere this method coz it need another program to check if it's stopped to rerun it , they need a very leight trojon to do all their work without feeling .. but viruses do they don't care about anything only harm the pc and that's all !

    the good part it could be also a simple software -again- and it has installed those nessesary files there .. but I'm talking about -strange- method to make this installation !
    in your place I'll test this by first stoping the service .. and shedule it to see what will happen , will it work again ? or if I make it manual then stop for ever , will it be changed to work automatically again ?
    another thing u may "remove" (cut and paste in any other place) those files and see if they will be regenerated again ?
    Deme maybe u r right in the .log file part as I guessed -and still- that it contains the opened port number of the trojan to be able to get it at any time ... and in this case u r right about not sharing those files container but what about sharing description like saying the .log contains 4 digit numbers , the ***.ini contains three procedure [**] and [**] and [***] for example ... this will not be danger at all AND about opening I confirm that opening any thing -even if it's an exe file- by notepad will not make any thing at all ... If u can trust on me so trust on this , or make a small search about this , can notepad execute any gender of files >> the answer clearly is no of course .
    I hope only if we can help without reinstalling a fresh copy or maybe it's not a virus at all ... btw u told that u have renamed them with the .txt extension , do u have any program doesn't work well or do new files have been regenerated ? I don't advice you to delete them very fast that if u could have a good removing tool to remove all it's trace from anywhere will be better .
    Last edited by Amahdy; 01-15-2007 at 06:55 PM.

  7. #7
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    35
    It might be an infection by the JavaIFX spyware (Amahdy, Google "JavaIFX"), which seems to be only detected by a company named Prevx (http://devfileinfo.prevx.com/spyware.../JavaIFX.html). As I have never heard of either there isn't much help that I can give, but it might be helpful if you could dump the content of some of those files so we could see.

  8. #8
    Join Date
    Oct 2005
    Posts
    1,819
    Wow ... thanks kero for info , u know I think that PREV-X are the creator of this virus !!! but they fails to populate it and hence no "famous" anti-spy lab has detected it .. as we haven't never heared about it

  9. #9
    Join Date
    Oct 2005
    Posts
    1,819
    All search results are linked to this "new" website

  10. #10
    Join Date
    Apr 2007
    Posts
    1
    I can confirm that Prevx are a reputable and legitimate company. I have known and used their products on and off for the last couple of years and seem to be getting better and better lately.

    They also have an official forum over at Castlecops:
    http://www.castlecops.com/f146-Prevx1.html

    Hope that puts your mind at ease

  11. #11
    Join Date
    Jul 2007
    Posts
    3
    Its not a virus as such as it purpose is to either allow the installation, or removal of other applications. my advice get rid of it and anything to do with it before it becomes a problem.
    Its unclassifed as either mallicious or not but if you ask me anything that is a "back door" to install something is mallicious. Also it seems to have to play around in the same areas that VNC does, also cant be good as thats all remote access.

Similar Threads

  1. Publishing information on malicious code.
    By skennedy in forum Talk to the Editors
    Replies: 0
    Last Post: 01-16-2002, 10:19 AM
  2. More on Visual J#.Net
    By Jim Pragit in forum .NET
    Replies: 64
    Last Post: 10-20-2001, 08:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center