Votan
July 5th, 2004, 11:07 PM
My system is HP Pavilion, XP with all latest updates, 2.08 MHz, 512 K RAM, modem connected to telephone line, cable to go online, ZoneAlarm version: 5.0.590.015.
About 10 days ago my computer fax, Microsoft fax utility, picked up the call. The caller hanged up before the completion of the handshake so it wasn’t possible to get the message. Thereafter every time I boot three things happen they never happened before:
1. the startup music of XP chokes in the middle for about two seconds suggesting to me that some application is installing itself thus taking the processor re-source for those seconds.
2. the telnet utility mcc.exe opens a DOS window just before the startup music chokes and ZA warns that telnet file mcc.exe is requesting permission to go to the internet; I deny the permission. I know for fact that I have telnet.exe on my system but I did not know about mcc.exe.
3. the fax service attempts to have access to the internet, destination 127.0.0.1, port 1024. ZA warns about the excursion and I deny access.
The first thing I did I reset the fax option to receive calls manually. Ad-aware test was negative. Virus check revealed BYTEVER.A virus nested in three in-stances in a zipped file only 4 KB in size:
classload.jar-1f5b6b54-1b45b356.zip *GetAccess.class*
classload.jar-1f5b6b54-1b45b356.zip *InsecureClassLoader.class*
classload.jar-1f5b6b54-1b45b356.zip *Inataller.class*
Each zip file is associated with another file of the same name but with exten-sion idx also 4 K in size; the commands between stars were reported by the anti-virus utility. These files are located deep in sun/java folder. I deleted those zipped files but they are reinstalled at the next reboot and I noticed no changes in the behavior of startup or other OS functions. If I delete the idx files, the zip files disap-pears in the unknown, that is, they are save in the recycle bin. If I delete the zip file, I will have to delete the idx file afterward and the zip file is saved in the recy-cle bin. The zip file contains the following files:
Manifest.mf 68 B
Dummy.class 236 B
I looked up the registry keys. I noticed that a command to launch mcc.exe was added in local machine run key. I deleted it but the startup music continues to choke and the fax service continues to attempt to access the internet.
I checked fax service in ZA not to have access to trusted zone and to the inter-net or to function as a server, then I reset the fax to receive calls automatically. Now ZA warns that Microsoft Fax Consol is attempting to use the machine as a server, destination 0.0.0.0, port 1037. I blocked this one in ZA too.
It could be that I am protected but there should be no apparent need to block the fax on a cable connection in the first place. The fax is connected to telephone line, the internet access is through cable.
I uninstalled the Windows Fax component and cleaned the persistent folders from all residual contents except for the TIF files, which are the faxes I sent and I received. I rebooted and reinstalled the fax utility. The problem I just described did not go away. If I remove the fax service utility from ZA, it attempts to have access to the internet. If I remove the fax consol from ZA, it attempts to use the computer as server. I have to keep them checked in ZA.
Another file of the same name but with extension RB0 32 KB in size was not detected by the antivirus utility; it resided in the same jar folder as the zip file. It turned out this is another zip file since I had examined its content using WinZip. It contains the files:
Manifest.mf 68 B
GetAccess.class 24,837 B
InsecureClassLoader.class 913 B
Dummy.class 236 B
Installer.class 2,170 B
When I deleted this RB0 file and I rebooted, the zip files were not reloaded, at least for now, antivirus test was negative, but the startup music is still choking and the fax anomalies are persistent. The command mcc.exe was not reloaded in the key after I deleted it the first time.
Does anyone have a suggestion about how to fix this problem?
I sent the same message to ZoneLab but I haven't heard from them.
Noonoo: I will try your recipe later and will keep you posted.
About 10 days ago my computer fax, Microsoft fax utility, picked up the call. The caller hanged up before the completion of the handshake so it wasn’t possible to get the message. Thereafter every time I boot three things happen they never happened before:
1. the startup music of XP chokes in the middle for about two seconds suggesting to me that some application is installing itself thus taking the processor re-source for those seconds.
2. the telnet utility mcc.exe opens a DOS window just before the startup music chokes and ZA warns that telnet file mcc.exe is requesting permission to go to the internet; I deny the permission. I know for fact that I have telnet.exe on my system but I did not know about mcc.exe.
3. the fax service attempts to have access to the internet, destination 127.0.0.1, port 1024. ZA warns about the excursion and I deny access.
The first thing I did I reset the fax option to receive calls manually. Ad-aware test was negative. Virus check revealed BYTEVER.A virus nested in three in-stances in a zipped file only 4 KB in size:
classload.jar-1f5b6b54-1b45b356.zip *GetAccess.class*
classload.jar-1f5b6b54-1b45b356.zip *InsecureClassLoader.class*
classload.jar-1f5b6b54-1b45b356.zip *Inataller.class*
Each zip file is associated with another file of the same name but with exten-sion idx also 4 K in size; the commands between stars were reported by the anti-virus utility. These files are located deep in sun/java folder. I deleted those zipped files but they are reinstalled at the next reboot and I noticed no changes in the behavior of startup or other OS functions. If I delete the idx files, the zip files disap-pears in the unknown, that is, they are save in the recycle bin. If I delete the zip file, I will have to delete the idx file afterward and the zip file is saved in the recy-cle bin. The zip file contains the following files:
Manifest.mf 68 B
Dummy.class 236 B
I looked up the registry keys. I noticed that a command to launch mcc.exe was added in local machine run key. I deleted it but the startup music continues to choke and the fax service continues to attempt to access the internet.
I checked fax service in ZA not to have access to trusted zone and to the inter-net or to function as a server, then I reset the fax to receive calls automatically. Now ZA warns that Microsoft Fax Consol is attempting to use the machine as a server, destination 0.0.0.0, port 1037. I blocked this one in ZA too.
It could be that I am protected but there should be no apparent need to block the fax on a cable connection in the first place. The fax is connected to telephone line, the internet access is through cable.
I uninstalled the Windows Fax component and cleaned the persistent folders from all residual contents except for the TIF files, which are the faxes I sent and I received. I rebooted and reinstalled the fax utility. The problem I just described did not go away. If I remove the fax service utility from ZA, it attempts to have access to the internet. If I remove the fax consol from ZA, it attempts to use the computer as server. I have to keep them checked in ZA.
Another file of the same name but with extension RB0 32 KB in size was not detected by the antivirus utility; it resided in the same jar folder as the zip file. It turned out this is another zip file since I had examined its content using WinZip. It contains the files:
Manifest.mf 68 B
GetAccess.class 24,837 B
InsecureClassLoader.class 913 B
Dummy.class 236 B
Installer.class 2,170 B
When I deleted this RB0 file and I rebooted, the zip files were not reloaded, at least for now, antivirus test was negative, but the startup music is still choking and the fax anomalies are persistent. The command mcc.exe was not reloaded in the key after I deleted it the first time.
Does anyone have a suggestion about how to fix this problem?
I sent the same message to ZoneLab but I haven't heard from them.
Noonoo: I will try your recipe later and will keep you posted.