|Detected||Feb 16 2011 10:46 GMT|
|Released||Feb 16 2011 16:34 GMT|
|Published||Sep 08 2011 12:39 GMT|
A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a JAR-archive containing a set of Java-classes (class-files). 15661 bytes.
The malicious JAR-archive contains the following files:
Meta-inf\Manifest.mf (71 bytes) a6a7a760c0e (145 bytes) a.class (7594 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx") aa79d1019d8.class (4360 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx") a4cb9b1a8a5.class (3559 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx") a66d578f084.class (590 bytes) ab16db71cdc.class (789 bytes) ab5601d4848.class (1130 bytes) ae28546890f.class (864 bytes; detected by Kaspersky Antivirus as "Trojan.Java.Agent.an") af439f03798.class (6135 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")
The trojan is a Java-applet. It is launched from an infected HTML-page using the "<APPLET>"tag, for which a link to the downloadable file is transferred in encrypted form in the "a" parameter. After launching, the trojan uses the class "a" "__K" function to decode the link obtained using the following mappings for the input and output symbols:
abcdefghij-klmnopqrstuvwxyz/.-::1234567890The following substring is also attached to the unencrypted link:
?i=6Using the link obtained, the trojan then downloads the file, saving it to the current user's temporary file directory as
%Temp%\google.exeAfter successfully downloading the file, it is then launched for execution. The trojan only downloads and launches the file if the version of JRE (Java Runtime Environment) installed on the infected computer is between 1.5.0 and 1.6.0_18. If the version of JRE is between 1.6.0_19 and 1.6.0_21 and the "trigger" parameter transferred in the "<<APPLET>>"tag contains the "notie" or "isie" substrings, the following script will be launched using the "getAppletContext().showDocument" function:
If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.