Internet threat level: 1
Home→Descriptions→Trojan-Downloader.Java.OpenStream.av
Trojan-Downloader.Java.OpenStream.av
| Detected | Oct 06 2010 13:39 GMT |
| Released | Oct 08 2010 04:02 GMT |
| Published | Mar 15 2011 15:26 GMT |
Payload
Removal instructions
Technical Details
This Trojan downloads another program to the computer and launches it for execution without the user's knowledge. It is a Java class file and is 16 472 bytes in size.
Payload
The Java class file "gamesload" includes a JAR archive and is part of a piece of malware. The following components of the Trojan are also stored in the archive:
Game.class – 672 bytes gamesload$1.class – 657 bytesA malicious Java applet is activated after an infected HTML page is opened in the user's browser. It is launched by means of an "<applet<" HTML tag for which the applet's main class file is shown in the form of one of the parameters:
code="game/gamesload.class"The "data" parameter is also sent from the HTML page to the applet. The value of the "data" parameter consists of a link to download another piece of malware. To download the other piece of malware from the specified link, the Trojan uses a vulnerability in Java Runtime Environment (CVE-2010-0094). The vulnerability occurs during deserialization of RMIConnectionImpl objects. This vulnerability enables the malicious user, through virtualization, to call Java system functions by using ClassLoader. Java Runtime Environment (JRE) up to version 6, 18th update, is vulnerable.
After exploiting this vulnerability, the downloaded file is saved in the current user's temporary files directory under the name:
%Temp%\<rnd>.exewhere rnd is a random fractional number, for example, "0.3408872331207319" or "0.6955395946128761". The Trojan then launches the downloaded file for execution.
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Update Java Runtime Environment to the latest version.
- Empty the following directory:
%Temp%\
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
[MD5: 9d68b1d5a2eb0fd61488e5d53a702056]
[SHA1: e4d20d82b32c69497fd06b1e619409e12d7ab7c5]
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.
Trojan-Downloader.
- Trojan-Spy.
Win32. Delf. kof (Kaspersky Lab) - Sus/Dropper-A (Sophos)
- MULDROP.
Trojan (DrWeb) - a variant of Win32/Spy.
Delf. FQWWMUD trojan (Nod32) - Gen:
Trojan. Heur. DP. wGW@aqXKoIci (BitDef7) - TrojanSpy.
Agent2!TODNf9R7x4A (VirusBuster) - Win32:
Malware-gen (AVAST) - Trojan.
Win32. CDur (Ikarus) - TR/Spy.
368640. 262 (AVIRA) - Infostealer (NAV)
- Suspicious_Gen2.
BZLCP (Norman) - Trojan.
Win32. Generic. 522B8F5D (Rising) - Trojan-Spy.
Win32. Delf. kof [AVP] (FSecure) - TrojanSpy.
Agent2!TODNf9R7x4A (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.