gmonstart / jvregisterclasses in tons of binaries with commands, malware?

Ethan Baldridge ethan at
Wed Dec 16 22:56:45 GMT 2009

Not sure what precisely those strings are from, but I can tell you right now what they ARE (along with the "lists of commands") after looking at /bin/ps

That's the function table for the binary. The "@" sign you're seeing is actually represented as "^@" (one character, not two) - it's a null character (invisible to the naked eye in ASCII if it wasn't represented somehow. ^@ is the common way to do it). In most programming languages, a null character is used to mark the end of a string. In this case, the end of a function name.

Having a readable representation of the function table is important for debugging (among other things). It means instead of having a backtrace that says "Function 0x08c4ffff returned 3" you can see "atoi returned 3".

> -----Original Message-----
> From: ubuntu-devel-discuss-bounces at [mailto:ubuntu-
> devel-discuss-bounces at] On Behalf Of
> whereislibertyandjustice at
> Sent: Wednesday, December 16, 2009 5:41 PM
> To: ubuntu-devel-discuss at
> Subject: gmonstart / jvregisterclasses in tons of binaries with
> commands,malware?
> In linux binaries, in any linux distro, I've discovered the same
> strings
> which I believe may be due to a virus or trojan.
> Yet, clamav, rkhunter, chkrootkit do not detect abnormalities.
> Whether I run 'strings' on the binary files or view with vim or gedit,
> here
> is what is always seen inside the binaries:
> __gmon_start__
> _Jv_RegisterClasses
> Followed by commands which differ within each binary.
> If, by some luck, I've downloaded a fresh Linux ISO where binaries do
> not
> include the above two strings followed by commands, after I run an
> update
> the updated binaries suddenly contain the above two strings and other,
> what
> I believe to be, rogue strings. I've avoided the possible infection
> with an
> OpenBSD install, yet all the Linux installations and burned ISOs
> contain
> binaries with the above two strings followed by commands.
> Search using find within your bin and sbin directories for those two
> strings
> and see how many positives you find. Now use a text editor like vi or
> gedit
> and search through the gibberish, locate these strings and isolate the
> commands, if any, which follow them. Searching for gmonstart, gmon,
> registerclasses, jv, etc. variations of works. If you find results in
> your
> binaries, please copy/paste the commands following the gmonstart and
> jvregisterclasses strings so I may compare them to mine.
> I've purchased Linux CDs from brick + mortar stores, downloaded ISOs
> from
> different physical locations and found some CDs contained these strings
> in the binaries and one or two rare ones did not, but when
> installed/updated
> on a network connection the binaries replaced in the update process
> would
> show these strings!! These strings are not alone by themselves in the
> binaries they follow with commands with a @ mark before each command.
> Google results are vague, some suggest shell backdoors, every Linux
> user
> I've asked to date calls me paranoid while at the same time this
> knowledge
> comes as a surprise to them, too, when they search their binaries and
> find
> the same strings. I'm amazed by how quickly some rush to judgement and
> call
> you a paranoid for being curious about the files on your system. The
> strings
> may/may not be common, but in comparing commands which follow these
> strings
> I've noticed some which seem down right malicious!
> Maybe they're right, I'm just paranoid, but what am I seeing and why
> are these strings so common across Linux distros binaries, esp. the
> Jv (java?) reference? Please, any help?
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at
> Modify settings or unsubscribe at:

More information about the Ubuntu-devel-discuss mailing list