English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Exploit.JS.CVE-2010-4452.t

Detected Jul 01 2011 01:50 GMT
Released Jul 01 2011 03:55 GMT
Published Sep 19 2011 07:13 GMT

Technical Details
Payload
Removal instructions

Technical Details

The trojan contains a function that allows it to launch certain malicious scripts, as well as Java-applets, using the vulnerability CVE-2010-4452 to download other malware to the infected computer. It is a HTML-document, containing Java Script. Depending on the version, it may be between 922 and 1648 bytes.


Payload

After launching the malicious HTML-document, using Java Script tools, it is decoded and a code is recorded in its body which carries out the following actions:

  • it launches a script, the location of which depends on the version of the trojan:
    http://www.anr***ezrs.net/placeholder-4211928?target=_top&mouseover=Y
    http://www.anr***ezrs.net/placeholder-4211915?target=_top&mouseover=Y
    http://www.anr***ezrs.net/placeholder-4211938?target=_top&mouseover=Y
    http://www.k***yfj.com/placeholder-4211931?target=_top&mouseover=Y
    
  • Using the "<APPLET>" tag, it launches the Java-applet. Depending on the trojan version, the name of the JAR-archive containing the applet may be changed:
    track2.xar
    voke.xar 
    
    The class implementing the applet code may be named as follows:
    vmain
    main
    
  • It launches the applet, the class-file for which is located at the following address:
    http://142***19175/j
The launched Java-applets use the vulnerability CVE-2010-4452 in the "Deployment" component in the Java Runtime Environment (JRE) in Oracle Java SE (up to version 6, update 23) to download the file to the infected computer.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Update the JRE to the latest version.
  3. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


Bookmark and Share
Share
Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.