My latest NAV definitintions just found Java.NoCheat, apparently some new trojan. I can’t find very much information about it and was wondering where another user in my house may have picked it up (it was under their temp files). Can anyone tell me based on the info in this link what he might have done to get infected?
Also, am I correct in assuming that NAV erases all the various changes it makes to my system (registry, etc.)?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_NOCHEAT.A&VSect=T
Sounds like you need to make sure your software (Microsoft’s Java Virtual Machine in this case) stays up to date. That or turn off Java and all scripting within IE.
It’s possible that some web site that was visited in the past had a javascript that took advantage of a known vulnerability in your browser’s Java implementation.
When NAV cleans out a virus, it does NOT remove registry entries (oh, how I wish it did). If it is necessary to reverse registry entries as part of the disinfection, Symantec usually provides free, downloadable removal tools on their website. If there isn’t such a tool available, chances are a registry fix isn’t necessary.
The link you provided gives some information as to how this beasty operates. Essentially, the registry changes it mentions don’t happen until an intruder connects with the trojan (it doesn’t say how this is accomlished) and issues some commands to it.
It should be relatively easy to use REGEDIT to determine if any changes have been made to the specified registry keys. If you choose to reverse any changes, be sure to back up your registry beforehand – and if you are ever unsure of what you’re doing in the registry, DON’T DO IT.
This trojan may seem to have suddenly appeared, but it could be an old one. NAV definitions are finally getting more and more trojans. The trouble with many of them is that they are virtually undetectable, so their discovery is often by sheer luck.