Trojan-Downloader.Java.OpenConnection.er

From Total Malware Info

The malicious program is an exploit, which uses vulnerability in Sun Java JRE and JDK to download files from the Internet and to execute them on the infected machine. It is a JAR-archive that contains a collection of Java-classes (class-files). Its size is 18,043 bytes.

MD5: B128448CE2DEC747EC806A47800F7100

SHA1: 82961301732E8AF889BDB1B7E50197C8B433BC5B

Payload

The malicious JAR-archive contains the following files:

bingo\chugun.class (365 bytes)
bingo\dipler.class (1,394 bytes)
 
bingo\efir.class (17,766 bytes; it is detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.er")
 
bingo\haskalu.class (2,532 bytes)
bingo\kipoltyrew.class (856 bytes)
Meta-inf\Manifest.mf (71 bytes)

The described collection of classes is an implementation of Java-applet (the main applet class is "efir"). The malicious applet uses the vulnerability CVE-2010-0840 for the purpuse of downloading files from the Internet to an infected computer. The vulnerability is is related to improper checks when executing privileged methods in the Java Runtime Environment, which allows attackers to execute arbitrary code via an untrusted object that extends the trusted class but has not modified a certain method.

The malicious applet is launched from an infected HTML-page by using the "<APPLET>" tag. URL for downloading file is passed to malicious applet as the tag parameter "kdwidth" in encrypted form. Decoding is performed by using the function "fipoluty", implemented in the class "efir". During decoding, the following correspondence between input and output symbols is used:

Input symbols:

xTc/8:G1RqgymtFz_S?nuJHkpP=DBaeOj2&7Q%Mh5bXdK0vf4E-YCisAwV9rI.3oZl6LN#UW

Output symbols:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/.:_-?&=%#

Once launched, the exploit checks the name of the installed OS on the infected computer. If OS is different from Windows, the exploit will end its work.Otherwise, it downloads files from received URL. The downloaded file is stored as

%USERPROFILE%\<rnd>.exe

where - random fractional decimal numbers from 0 to 1.

This file is launched after the successful download.

Also, the exploit sets the value of "java.net.useSystemProxies" parameter to "true".

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Delete the original exploit's file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Delete the file:

%USERPROFILE%\<rnd>.exe

3. Update Sun Java JRE and JDK to the latest versions.

4. Clear the Temporary Internet Files directory, which may contain infected files.

5. Perform a full system scan with an antivirus with updated databases.