Exploit.Java.CVE-2010-4452.a

From Total Malware Info

The malicious program is an exploit, which uses vulnerability CVE-2010-4452 in Sun Java Runtime Environment (JRE) in the Oracle Java SE (up to version 6, 23rd Update) to download files from the Internet and execute them on the infected machine. It is s a Java-class (class-file). Its size is 3,570 bytes.

MD5: 388B61750499659F8339F0FB6FDCA7A4

SHA1: 0E60E6009B58331BF7E91329E0E4D33D0D33B803

Payload

The malware class "options" is an implementation of Java-applet designed to downloading files from passed URLs, as well as launching downloaded files It is launched from an infected HTML-page by using the "<APPLET>" tag. The list of URLs is passed to malicious applet as the tag parameter "uid" in encrypted form. Links in this list are separated by the symbols ";". Once launched, the exploit decrypts a received links by using the function "sicqsicT" declared in the malware class. During decoding, the following correspondence between input and output symbols is used:

Input symbols:

7It?w8HBF45P:v6Z3ihx1bTlsr.OEcRU2aY&m=_Dy#kSN/-fp;dVWgQJjAenC9M%zXKG0qLou

Output symbols:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#;

The malicious applet uses the vulnerability CVE-2010-4452 for the purpuse of downloading files from the Internet to an infected computer. This vulnerability allows an attacker to bypass security settings of Java Sandbox and execute malicious code on a vulnerable system. The downloaded files are stored under random names in the temporary folder of the current user "%Temp%":

%Temp%\<rnd>.exe

where <rnd> - random fractional decimal numbers from 0 to 1.

This file is launched after the successful download.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the following files:

%Temp%\.exe

2. Update Sun Java JRE to the latest version.

3. Perform a full system scan with an antivirus with updated databases.