Started on Monday and with the current DB. Clamwin 0.96.2.1 (Oct 28, 2010) detected Trojan.Downloader.Java-18 in "\Application Data\Sun\Java\Deployment\cache\6.0\40\29d45da8-20a7b045".

AVG 9.0 with current updates did NOT detect.
AVG 2011 with current updates did NOT detect.
Malwarebytes with current updates did NOT detect.
SpyBot S&D with current updates did NOT detect.
Clamwin DID detect as Trojan.Downloader.Java-18.
Microsoft Security Essentials DID detect as "TrojanDownloader:Java/OpenStream.AK" and successfully removed.

This occured on 2 different computers.

Can't submit because I mistakenly cleaned the infection with MSSE before making a copy. Sorry about that.

Anyone else have this happen?

Is the file a false positive?

You may able to restore the file from MSSE quarantine--if that is the option you used when an infection is detected.

I had some Sun Java detections a few days ago myself and verified them with a Bitdefender online scan. Some AVs do not devote enough attention to Java malware, which is really increasing now.

Regards,

I'm not sure if it's a false positive or not. Unfortunately, MSSE did not quarantine, it removed the infection. I actually had 2 copies of the file, but MSSE cleaned one and ClamWin cleaned the other. I would like to hear from others to find out if it is a false positive. If it is, so be it. If it's legit, It will be even more encouraging about ClamWin's ability to detect and remove. I have actually been quite impressed with ClamWin lately. I've also been impressed with Microsoft Security Essentials because it helped me out of a jam the other day with a friend's computer. Also, there is not a lot of overhead with MSSE or ClamWin.

Would still appreciate to hear responses from anyone who had experience with the Trojan.Downloader.Java-18 being detected by ClamWin.

Thanks all.

Jim

Windows XP Professional with SP3
McAfee Agent version 4.0.0.14444 did not detect
Clamwin 0.96.1 did detect

Could not find any information anywhere if this is a False-Positive or not.......Anyone?

Dominic

Hi dominic,

An update from Oct 28. Sorry, I should have posted this, but I kinda forgot about it. I decided to clear the Java Cache just to be safe. Once I did this, ClamWin did not report any infections. The detections were on a server in the profile of the user. I had the user clear the cache using java article at https://www.java.com/en/download/help/cache_virus.xml (some versions have different instructions). Then I had them log off/on and it synced with the server. Afterwards, that night's scan showed no infections. I was really not too concerned because the "infected" files were old (not recently accessed) and did not previously show infections. I assumed it was a ClamWin update that identified them as viral, but I cleared them just to be safe.

I still don't know if it was a false positive or not. Sorry I can't answer that question.

Submit the file to Jotti or Virus Total. Either of these on-line scanners will scan your file with multiple scanners, including Clam AV. If several other scanners besides Clam spot a file as infected, it probably is--especially if a couple of these AVs are among those spotting an infection: Avira AntiVir, Alwil Avast, Bitdefender, NOD32, and Sophos.

Reards,

I have just had a similar incident, ClamWin finding "Trojan.Downloader.Java-18" in the file:

C:\Users\John\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\702d6a46-6bb2531f

I tried GuitarBob's suggestion. https://virusscan.jotti.org/en/scanresult/98b3179984cfa27d5569236213ad9aeff1b67f9d Jotti results. https://www.virustotal.com/file-scan/report.html?id=302a6f9ed057c820d3e65f6535525305d33495ad961c0b91edb7c62e5c987a0c-1290009218 Virus Total results. ClamAV, NOD32 and SOPHOS all showed a detection, in addition to a few others.

I'm inexpertly guessing there is something real there. Java started itself up while I was browsing Reddit with Firefox the other day, and https://www.reddit.com/r/announcements/comments/e7988/a_number_of_reddit_users_have_reported_finding/ Reddit is warning users they may have hosted a malicious advertisement that made a drive-by style of infection possible.