Technical Details
This program has a malicious payload. It is an HTML document containing Java Script. It is 77 309 bytes in size.
Payload
Once launched, the Trojan attempts to launch a malicious Java-applet from the following link:
http://<domain_name_of_infected_server>/games/javaobe.jar
This applet is 7171 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Downloader.Java.OpenConnection.dc. The applet's main class file is specified by the class file named:prev.monoid.class
When the applet is launched, the following values are sent in parameters:archive='./games/javaobe.jar'
value='<encrypted_link>
name="dskvnds"
The Trojan then strips obfuscation from its malicious Java Script. The Trojan determines the operating system version, installed browsers and plugins installed in browser. It exploits a vulnerability in Java Deployment Toolkit (JDT) that arises due to incorrect processing of URL. This allows the malicious user to send random parameters to Java Web Start (JWS) (CVE-2010-0886). The malicious user generates a specially crafted link and sends it as the parameter of vulnerable "launch()" function. This way the Trojan downloads and launches the malicious file for execution from the following link:http://195.***.99/pub/new.avi
It also sends a link for downloading:http://xxv***old.co.cc/d.php?f=43&e=1
The Trojan uses ActiveX objects with unique identifiers to run its malicious script in MS Internet Explorer:{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}
{8AD9C840-044E-11D1-B3E9-00805F499D93}
{CA8A9780-280D-11CF-A24D-444553540000}
To execute its script in Mozilla Firefox and other NPAPI browsers, the Trojan determines the following MIME types:application/npruntime-scriptable-plugin;deploymenttoolkit
application/java-deployment-toolkit
application/vnd.adobe.pdfxml
application/vnd.adobe.x-mars
The malware then exploits a vulnerability that arises due to the incorrect handling of URL escape sequences in the function "MPC::HexToNum" in Microsoft Windows Help and Support Center applications (helpctr.exe) (MS10-042, CVE-2010-1885). After exploiting the vulnerability, the malicious user can execute commands that are delivered through a specially generated "hcp://" URL. The malware uses the ActiveX object "MSXML2.XMLHTTP" to download the file located at the following URL:http://xxv***old.co.cc/games/hcp_vbs.php?f=43
and saves it to the current user's temporary files directory under the name:%Temp%\l.vbs
Using the command line, the Trojan launches the downloaded file for execution and terminates the Microsoft Windows Help and Support Center process:HelpCtr.exe
The malware then determines the plugins installed in the browser and Adobe Reader and Adobe Acrobat ActiveX objects. Then, depending on the PDF Reader version, it opens malicious PDF documents from one of the following links:http://<domain_name_of_infected_server>/games/pdf.php?f=43
http://<domain_name_of_infected_server>/games/pdf2.php?f=43
The malware also exploits a vulnerability that exists due to the "use-after-free" error in the "Peer Objects" component of lepers.dll during incorrect processing of the setAttribute() method (CVE-2010-0806). As a result, the exploit tries to download a file located at the following link:http://xxv***old.co.cc/d.php?f=43&e=5
and save them under the name:%Temporary Internet Files%\<tmp>
where tmp is the name of the temporary file. The downloaded file is then launched for execution. At the time of writing, these links were inactive.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
- Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
%Temporary Internet Files% - Update Sun Java JRE and JDK to the latest versions.
- Empty the current user's temporary files directory:
%Temp %\
Žádné komentáře:
Okomentovat