Technical Details
This Trojan exploits a vulnerability in Sun Microsystems Java (CVE-2009-3867) to download and launch for execution other malware without the user's knowledge. It is a Java class file. It is 8688 bytes in size.
Payload
The malicious Java applet is launched from the infected HTML page. For example, this Trojan is downloaded by an exploit that is detected by Kaspersky Anti-Virus as Exploit.HTML.CVE-2010-1885.c. It is launched by means of an "<applet>" HTML tag for which the location of the malicious class in the jar archive is shown as one of the parameters:
code='dev.s.AdgredY'
A link is also sent to the applet as the parameter, which the Trojan will use to download other malicious files. Then the malware determines the current OS and the installed version of Java. The Trojan only launches its malicious code in Windows OS. The malware uses vulnerability that arises due to the incorrect processing of a parameter of the function getSoundBank() (CVE-2009-3867) in Sun Java SE; in JDK and JRE version 5.0 up to update 21; in JDK and JRE version 6.0 up to update 16. The Trojan exploits this vulnerability to download a file from the link that is sent to the applet from an HTML page as a parameter. The downloaded file is saved in the current user's temporary folder under the name:%Temp%\<rnd>.exe
where rnd is a random fractional number, for example, 0.7963788877553228 or 0.39694063758338793. The Trojan then launches the saved file for execution.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Install the latest versions of Sun Java JRE and JDK.
- Empty the current user's temporary folder:
%Temp%\
Žádné komentáře:
Okomentovat