English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Exploit.Java.CVE-2010-0840.c

Detected Feb 28 2011 10:44 GMT
Released Feb 28 2011 16:13 GMT
Published Apr 22 2011 09:00 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Java class file. It is 5721 bytes in size.


Payload

The malware is a component of a Trojan downloader and includes a class file named "sportGame", which downloads a file from the Internet, from a link sent to it, and launches the downloaded file for execution. The downloaded file is saved in the current user's temporary files directory as

%Temp%\<rnd>.exe
where <rnd> is a random fractional decimal number between 0 and 1. Before downloading, the malware checks the name of the OS installed on the infected system. If the OS is not Windows, the download does not take place.

The Trojan constitutes a Java applet. It is launched from an infected HTML page using an "<APPLET>" tag, for which an encrypted link to a downloadable file is sent in parameter named "kids".

As well as the above-mentioned class file, the Trojan contains class files named "lipa" and "portland". The "lipa" class file includes the "loipo" function, which is used to decrypt the link to a downloadable file. The "portland" class file contains a code, designed to exploit a vulnerability (CVE-2010-0840). JDK and JRE up to version 6, 18th update, are vulnerable. This vulnerability appears due to improper verification when executing privileged methods in Java Runtime Environment; this enables the malicious user to execute a random code with a specially modified object, which is a subclass file of the trusted class file.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Install the latest versions of Sun Java JRE and JDK.
  2. Delete the following file:
    %Temp%\<rnd>.exe
  3. Empty the Temporary Internet Files folder, which may contain infected files (How to delete infected files from Temporary Internet Files folder?).
    %Temporary Internet Files%
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 03A7A51808D6C73A64FF954F15B5D029

SHA1: 875DDB83F1EEC85816EC1E36DF1616B5D0151A2E


Bookmark and Share
Share
Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.


Other versions

Aliases

Exploit.Java.CVE-2010-0840.c (Kaspersky Lab) is also known as:

  • Troj/JavaBz-G (Sophos)
  • Troj/JavaBz-L (Sophos)
  • Exploit:Java/CVE-2010-0840.BJ (MS(OneCare))
  • Exploit.Java.179 (DrWeb)
  • Java/TrojanDownloader.OpenStream.NBI trojan (Nod32)
  • Exploit.Java.CVE-2010-0840 (Ikarus)
  • Win32.SuspectCrc (Ikarus)
  • Exploit.Java (AVG)
  • JAVA/Agent.JG (AVIRA)
  • plugin/sportGame.class <<< JAVA/Agent.JG (AVIRA)
  • Trojan Horse (NAV)
  • JAVA_OBFUS.ZOF (TrendMicro)