Technical Details
This Trojan exploits a vulnerability in Sun Microsystems Java (CVE-2009-3867) to execute a random code on a vulnerable system. It is a Java class file. It is 4643 bytes in size.
Payload
A malicious Java applet is activated after an infected HTML page is opened in the user's browser. Usually it is another malware that downloads this exploit. For example, this Trojan is downloaded by an exploit that is detected by Kaspersky Anti-Virus as Exploit.Java.CVE-2010-0886.a. It is launched by means of an "<applet>" HTML tag for which the application's main class is shown as one of the parameters:
code="AppleT.class"
as well as the "sc" parameter, the value of which consists of a shell script generated by the malicious user beforehand. The malware then detects the installed Java version. Depending on the Java version, the malware generates a link, which is sent as the argument of vulnerable function. The exploit uses vulnerability that arises due to the incorrect processing of a parameter of the function getSoundBank() (CVE-2009-3867) in Sun Java SE; in JDK and JRE version 5.0 up to update 21; in JDK and JRE version 6.0 up to update 16. The Trojan exploits this vulnerability to execute a malicious shell script, located on the HTML page as the parameter of the downloaded applet.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Install the latest versions of Sun Java JRE and JDK.
- Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
%Temporary Internet Files%
Žádné komentáře:
Okomentovat