The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Feb 24 2011 10:58 GMT
Released Feb 24 2011 15:37 GMT
Published Mar 25 2011 11:47 GMT

Technical Details
Removal instructions

Technical Details

This Trojan exploits a vulnerability in Oracle Java SE (CVE-2010-0840) to execute a random code on a vulnerable system. It is a Java class file. It is 6592 bytes in size.


A malicious Java applet is activated after an infected HTML page is opened in the user's browser. The applet is launched by means of an "<applet>" HTML tag for which the application's main class is indicated as one of parameters:

The JAR archive contains this malicious class:
as well as the "pid" parameter value containing an encrypted link. The exploit uses a vulnerability that enables the malicious applet to call privileged methods without a proper security check (CVE-2010-0840). This is how the exploit can execute a random code on the vulnerable system. Oracle Java SE and Java for Business are vulnerable:
  • Java Development Kit (JDK) and Java Runtime Environment (JRE) 6.0, 18th update and earlier versions for Windows, Solaris and Linux;
  • Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0, 23rd update and earlier versions for Solaris;
  • Software Development Kit (SDK) 1.4.2, 25th update and earlier versions for Solaris.

After exploiting this vulnerability, the malware decrypts the link and uses it to download a file. The downloaded file is saved in the current user's temporary files directory under the name:

where rnd is a random fractional number, for example, "0.8608151138918041" or "0.6955395946128761". The executable file is then launched for execution.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
  2. Update Oracle Java JRE and JDK to the latest versions.
  3. Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: 3dbebab0fa1b98e1ea72174562734629]
[SHA1: ab07e2ed064897c562870cc8628aa3a445e06a58]

Bookmark and Share

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.

Other versions