Trojan-Downloader.Java.Agent.fl

From Total Malware Info

It is a program-exploit, which exploits the vulnerabilities in Sun Microsystems Java: CVE-2009-3867 and CVE-2008-5353. It is a Java-class (class-file). Its size is 9470 bytes.

Payload

The exploit is a specially formed Java-class that, after its execution, exploits a vulnerability in Java Virtual Machine. The vulnerability exists while deserializing objects named "Calendar" in Sun Java VM (CVE-2008-5353). This vulnerability allows an attacker to execute an applet with elevated privileges. The vulnerable components are: Java Runtime Environment (JRE) for the Sun Java Development Kit (JDK) and JRE6 10-e Upgrades and earlier versions; JDK and JRE 5.0 Update 16 th and earlier versions; Software Development Kit and JRE 1.4.2_18 and more earlier. Also the malicious program exploits a vulnerability that arises from the improper handling of the parameter in functions getSoundBank() in Sun Java SE JDK and in JRE from version 5.0 to 22 the JDK and JRE from version 6 to 17, SDK and JRE 1.3.x before 1.3.1_27 version; SDK and JRE 1.4.x before 1.4.2_24 version.Using this vulnerability, the Trojan attempts to download files, which are located at:

http://188.72.233.239/w/exe.exe

and save it in the temporary files directory of the current user under the name:

%Temp%\pdfupd.exe

Then, the Trojan launches the downloaded file. At the time of writing, the link was not working.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
2. Update Sun Java JRE and JDK to the latest versions.
3. Perform a full system scan using an antivirus with updated anti-virus databases (download a trial version).