English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Java.Agent.an

Detected Feb 16 2011 10:46 GMT
Released Feb 16 2011 16:34 GMT
Published Sep 08 2011 12:39 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a JAR-archive containing a set of Java-classes (class-files). 15661 bytes.


Payload

The malicious JAR-archive contains the following files:

Meta-inf\Manifest.mf (71 bytes)
a6a7a760c0e (145 bytes)

a.class (7594 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")

aa79d1019d8.class (4360 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")

a4cb9b1a8a5.class (3559 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")

a66d578f084.class (590 bytes)
ab16db71cdc.class (789 bytes)
ab5601d4848.class (1130 bytes)

ae28546890f.class (864 bytes; detected by Kaspersky Antivirus as "Trojan.Java.Agent.an")

af439f03798.class (6135 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")

The trojan is a Java-applet. It is launched from an infected HTML-page using the "<APPLET>"tag, for which a link to the downloadable file is transferred in encrypted form in the "a" parameter. After launching, the trojan uses the class "a" "__K" function to decode the link obtained using the following mappings for the input and output symbols:

Input symbols:

F#VD@YCR;LKU^ZBQ=&MGS!W%HP?TIK,,AN*J)O$X+E
Output symbols:
abcdefghij-klmnopqrstuvwxyz/.-::1234567890
The following substring is also attached to the unencrypted link:
?i=6
Using the link obtained, the trojan then downloads the file, saving it to the current user's temporary file directory as
%Temp%\google.exe
After successfully downloading the file, it is then launched for execution. The trojan only downloads and launches the file if the version of JRE (Java Runtime Environment) installed on the infected computer is between 1.5.0 and 1.6.0_18. If the version of JRE is between 1.6.0_19 and 1.6.0_21 and the "trigger" parameter transferred in the "<<APPLET>>"tag contains the "notie" or "isie" substrings, the following script will be launched using the "getAppletContext().showDocument" function:
javascript:JAVASKYLINE();


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the following file:
    %Temp%\google.exe
  3. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: 989C5B5EADDF48010E62343D7A4DB6F4
SHA1: 18F8AE4E2B3ABC0C151E08E731AA9157C1DD08CA


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions