Exploit.Java.CVE-2010-0840.ay

From Total Malware Info

The malicious program is an exploit, which uses a vulnerability in JRE (Java Runtime Environment) to download other malicious programs from the Internet and execute them on the infected machine. It is a JAR-archive that contains a collection of Java-classes (class-files).Its size is 10,034 bytes.

MD5: 383133B52FFF57FB7B736082751D36F5

SHA1: 48A6F8FBD79740BDCFE637076FAAD21B26523442

Payload

The malicious JAR-archive contains the following files:

MessageStack\QueryConstructor.class (490 bytes)
MessageStack\QueryFromMessage.class (599 bytes)
MessageStack\StringPack.class (1320 bytes)
MessageStack\TemplateMessage.class (2047 bytes)
MessageStack\TextMessage.class (571 bytes)
xmlTools\Container.class (3756 bytes)
xmlTools\Translator.class (552 bytes)
xmlTools\xml2html.class (5203 bytes)
xmlTools\XmlConstruct.class (2784 bytes)

The malware is a Java-applet (the main applet class is "xml2html"), designed to downloading files from passed URLs, as well as launching downloaded files. It is launched from an infected HTML-page by using the "<APPLET>" tag. The list of URLs is passed to malicious applet as the tag parameter "prm" in encrypted form. Links in this list are separated by the symbols "::". Once launched, the exploit decrypts a received links by using the function "name" declared in the "StringPack" class . During decoding, the following correspondence between input and output symbols is used:

Input symbols:

QOn7cZAVmK/G4WuBqfLxj1_tlE8PTrpN2Y3:MUa=&5oRi%y?9DHv-Cgwkh60b.FdeSI#zJXs

Output symbols:

aDLXq-_.mjnWN6fwcsKB?xbITS=CykGvd91Z:%ElR5po0rzA8/JYP72#ue&t4iQFhVU3OMgH

Then the exploit checks the name of operating system installed on the infected computer. If OS is different from Windows, the exploit will end its work. Otherwise, it downloads files from received URLs. The malware determines the type of the downloaded file (executable file or DLL). The downloaded files are stored under random names in the temporary folder of the current user "%Temp%":

%Temp%\<rnd>.exe

or

%Temp%\<rnd>.dll

where <rnd> - random fractional decimal numbers from 0 to 1.

After successful downloading an executable file will be launched. In the case of loading a DLL, it will be launched by using the system utility "regsvr32.exe"

regsvr32 -s %Temp%\<rnd>.dll

During its work, the exploit uses the vulnerability CVE-2010-0840 in JRE (Java Runtime Environment). The vulnerability is related to improper checks when executing privileged methods in the Java Runtime Environment, which allows attackers to execute arbitrary code via an untrusted object that extends the trusted class but has not modified a certain method. This vulnerability allows malicious to inherit and use methods that are not available for a Java-applet class, which is a subclass of non-privileged "Applet" class.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Delete the following files:

%Temp%\<rnd>.exe
%Temp%\<rnd>.dll

3. Update Sun Java JRE and JDK to the latest versions.

4. Clear the Temporary Internet Files directory, which may contain infected files.

5. Perform a full system scan with an antivirus with updated databases.