Internet threat level: 1
Home→Descriptions→Exploit.Java.CVE-2010-0840.b
Exploit.Java.CVE-2010-0840.b
| Detected | Feb 24 2011 10:58 GMT |
| Released | Feb 24 2011 15:37 GMT |
| Published | Mar 25 2011 11:47 GMT |
Payload
Removal instructions
Technical Details
This Trojan exploits a vulnerability in Oracle Java SE (CVE-2010-0840) to execute a random code on a vulnerable system. It is a Java class file. It is 6592 bytes in size.
Payload
A malicious Java applet is activated after an infected HTML page is opened in the user's browser. The applet is launched by means of an "<applet>" HTML tag for which the application's main class is indicated as one of parameters:
code='setup.lang.class'The JAR archive contains this malicious class:
archive='tetris.jar'as well as the "pid" parameter value containing an encrypted link. The exploit uses a vulnerability that enables the malicious applet to call privileged methods without a proper security check (CVE-2010-0840). This is how the exploit can execute a random code on the vulnerable system. Oracle Java SE and Java for Business are vulnerable:
- Java Development Kit (JDK) and Java Runtime Environment (JRE) 6.0, 18th update and earlier versions for Windows, Solaris and Linux;
- Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0, 23rd update and earlier versions for Solaris;
- Software Development Kit (SDK) 1.4.2, 25th update and earlier versions for Solaris.
After exploiting this vulnerability, the malware decrypts the link and uses it to download a file. The downloaded file is saved in the current user's temporary files directory under the name:
%Temp%\<rnd>.exewhere rnd is a random fractional number, for example, "0.8608151138918041" or "0.6955395946128761". The executable file is then launched for execution.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Update Oracle Java JRE and JDK to the latest versions.
- Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
%Temporary Internet Files%
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
[MD5: 3dbebab0fa1b98e1ea72174562734629]
[SHA1: ab07e2ed064897c562870cc8628aa3a445e06a58]
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.
Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.
Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.