Exploit.Java.Agent.ca

From Total Malware Info

Jump to: navigation, search
The description for Exploit.Java.Agent.ca was created during beta-test of «Malware description on demand» service. Learn more about at: www.dnt-lab.com/en/services.
Exploit.Java.Agent.ca

Last edited:

2.4.2011

The malicious program is an exploit, which uses vulnerability in Sun Java JRE and JDK to download files from the Internet and to execute them on the infected machine. It consists of three Java-classes (class-files).These files sizes are 12,447; 3,047 and 3,158 bytes.

MD5: B27FAF4A90CAEF7441BD0B912BB08A0A

SHA1: B2F11840E1C315D1D7BA82CA1F4FAF39B0C0098D

MD5: 8D36BDBFB548E1196E7CEA669428B2DD

SHA1: 9D49C8347E4FCE75FF34F2BB452A9A07C3439848

MD5: 63D23DA6EA900A12A0139BC5B1B56F8F

SHA1: 195F0303A1B9E22D82919BA7DFE83AD90B4565A5


Payload

The malware is implemented by three classes with the following names: 

Changes
MyBuilds
MyFiles

Once launched, the trojan exploits the vulnerability CVE-2008-5353. JDK and JRE 6.0 Update 10 and earlier are affected by this vulnerability. The vulnerability occurs during deserialization of "Calendar" objects in Sun Java VM and allows remote attackers to run untrusted applets and applications in a privileged context. Then the exploit downloads a file from passed URL. This file is launched after the successful download. The downloaded file is stored under random name in the temporary folder of the current user "%Temp%": 

%Temp%\<rnd>.exe

where <rnd> - random fractional decimal number from 0 to 1. The file will not be downloaded if the operating system installed on victim's computer is not Windows.

The malware is a Java-applet. It is launched from an infected HTML-page by using the "<APPLET>" tag. URL is passed to malicious applet as the tag parameters "data" and "cc". The parameter "cc" specifies the number of iterations of downloading cycle. The URL to download each file is composed as follows: 

URL = data + i,

where URL - link to download the next file;

data - the value of tag parameter "data";

i - integer decimal number, 0 <= i < cc;

cc - the value of tag parameter "cc".

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Update Sun Java JRE and JDK to the latest versions.

2. Delete the following files: 

%Temp%\<rnd>.exe

3. Clear the Temporary Internet Files directory, which may contain infected files.

4. Perform a full system scan with an antivirus with updated databases.

Can't find a description for a specific malware?
You can order a description for any computer malware, virus, trojan or worm.
Retrieved from "http://www.totalmalwareinfo.com/eng/Exploit.Java.Agent.ca"
Language
Video Tutorials
Computer and Internet Security Video Tutorials
© 2011 "Design and Test Lab", LLC. All rights reserved.