English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Exploit.Java.Agent.ca

Exploit.Java.Agent.ca

Detected	Jul 27 2010 12:35 GMT
Released	Jul 28 2010 11:20 GMT
Published	Apr 04 2011 13:57 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan exploits a vulnerability in Sun Microsystems Java (CVE-2008-5353). It has three Java class files. The files are 12 447, 3047, 3158 bytes in size.

Payload

The Trojan is designed as three class files, called:

Changes
MyBuilds
MyFiles

During its operation, the Trojan exploits vulnerability CVE-2008-5353 (CVE-2008-5353). This vulnerability arises while deserializing "Calendar" objects in Sun Java VM and enables the attacker to execute the applet with enhanced privileges. The vulnerabilities are present in Java Runtime Environment (JRE) for Sun Java Development Kit (JDK) version 6.0 up to the 10th update and earlier versions; JDK and JRE version 5.0 up to the 16th update and earlier versions; Software Development Kit and JRE 1.4.2 up to the 18th update and earlier. Once the privileges are enhanced, the exploit downloads files from the Internet from certain links. Once downloaded, the files are launched for execution. The downloaded files are saved to the current user's temporary directory as

%Temp%\<rnd>.exe

where <rnd> are random fractional decimal numbers between 0 and 1. Before downloading, it checks the name of the OS installed on the infected system. If the OS is not Windows, the download does not take place.

This malware is a Java applet. It is launched from an infected HTML page, using an "<APPLET>" tag, for which an encrypted link or downloading files is sent in parameters named "data" and "cc". The "cc" parameter determines the number of file download and launch cycle iterations. The link for downloading each file is generated as follows:

URL = data + i,

where URL is the link to download the next file; data is the value of the "data" parameter of tag "<APPLET>"; i is an integral decimal number, 0 <= i < cc; cc is the value of the "cc" parameter of tag "<APPLET>".

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

Update Sun Java VM to the latest version.
Delete the following files:
```
%Temp%\<rnd>.exe
```
Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: B27FAF4A90CAEF7441BD0B912BB08A0A
SHA1: B2F11840E1C315D1D7BA82CA1F4FAF39B0C0098D
MD5: 8D36BDBFB548E1196E7CEA669428B2DD
SHA1: 9D49C8347E4FCE75FF34F2BB452A9A07C3439848
MD5: 63D23DA6EA900A12A0139BC5B1B56F8F
SHA1: 195F0303A1B9E22D82919BA7DFE83AD90B4565A5

Print

Share

Malicious programs

Trojans

Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.

Other versions

Exploit.Java.Agent.bz

Exploit.Java.Agent.cw

Exploit.Java.Agent.de

Aliases

Exploit.Java.Agent.ca (Kaspersky Lab) is also known as:

Trojan: Downloader-BCS (McAfee)
Mal/JavaKC-P (Sophos)
Exploit/ByteVerify (Panda)
Exploit:Java/CVE-2008-5353.BO (MS(OneCare))
Java.Downloader.15 (DrWeb)
Java/TrojanDownloader.Agent.NBE trojan (Nod32)
Java.Trojan.Exploit.Bytverify.I (BitDef7)
Java:Djewers-U [Trj] (AVAST)
Trojan-Downloader.Java.Agent (Ikarus)
Java/Agent.U (AVIRA)
Trojan Horse (NAV)
JS/Exploit.FZ (Norman)
Exploit.Java.Agent.ca [AVP] (FSecure)
TROJ_JAVA.BE (TrendMicro)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

securelist.com