McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• JBellz (F-Secure)

• TROJ_JBELLZ.A (Trend)

• Trojan.Linux.JBellz (Symantec)

Characteristics

This threat has a risk assessment of Low-Profiled due to media attention at:

The Exploit-JBellz trojan is a malformed MP3 file containing code. By forging MP3 headers the trojan takes advantage of an exploit in the mpg123 player application for Linux, such that when the file is played the embedded code gets executed.

Samples found contained code that deletes all files and folders in the user home directory. However, it is possible to embed any code so the exact behaviour of the malicious MP3 could vary.

Users running mpg123 on different operating systems should verify the integrity of their MP3 files, since it is possible that variants of Exploit-JBellz may appear with the ability to affect more than just the Linux application.

Symptoms

An unexplained deletion of files.

Method of Infection

The JBellz trojan exploits a vulnerability in the mpg123 player for Linux. Using malformed headers, it forces execution of the embedded code with the privileges of the current user.

Removal

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• JBellz (F-Secure)

• TROJ_JBELLZ.A (Trend)

• Trojan.Linux.JBellz (Symantec)

Characteristics

Characteristics -

This threat has a risk assessment of Low-Profiled due to media attention at:

The Exploit-JBellz trojan is a malformed MP3 file containing code. By forging MP3 headers the trojan takes advantage of an exploit in the mpg123 player application for Linux, such that when the file is played the embedded code gets executed.

Samples found contained code that deletes all files and folders in the user home directory. However, it is possible to embed any code so the exact behaviour of the malicious MP3 could vary.

Users running mpg123 on different operating systems should verify the integrity of their MP3 files, since it is possible that variants of Exploit-JBellz may appear with the ability to affect more than just the Linux application.

Symptoms

Symptoms -

An unexplained deletion of files.

Method of Infection

Method of Infection -

The JBellz trojan exploits a vulnerability in the mpg123 player for Linux. Using malformed headers, it forces execution of the embedded code with the privileges of the current user.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete any file which contains this detection.

Overwritten/deleted files must be restored from backup or reinstalled. Alternatively system restore can be used to restore deleted files.

AVERT recommends to users that they not trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Variants

Variants -

N/A