|Detected||Feb 24 2011 10:58 GMT|
|Released||Feb 24 2011 15:37 GMT|
|Published||Mar 25 2011 11:47 GMT|
This Trojan exploits a vulnerability in Oracle Java SE (CVE-2010-0840) to execute a random code on a vulnerable system. It is a Java class file. It is 6592 bytes in size.
A malicious Java applet is activated after an infected HTML page is opened in the user's browser. The applet is launched by means of an "<applet>" HTML tag for which the application's main class is indicated as one of parameters:
code='setup.lang.class'The JAR archive contains this malicious class:
archive='tetris.jar'as well as the "pid" parameter value containing an encrypted link. The exploit uses a vulnerability that enables the malicious applet to call privileged methods without a proper security check (CVE-2010-0840). This is how the exploit can execute a random code on the vulnerable system. Oracle Java SE and Java for Business are vulnerable:
After exploiting this vulnerability, the malware decrypts the link and uses it to download a file. The downloaded file is saved in the current user's temporary files directory under the name:
%Temp%\<rnd>.exewhere rnd is a random fractional number, for example, "0.8608151138918041" or "0.6955395946128761". The executable file is then launched for execution.
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
%Temporary Internet Files%
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.
Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.
Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.