Home / malware TrojanDownloader:Java/OpenStream.AL
First posted on 23 October 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Java/OpenStream.AL is also known as Java/Agent.CE (Authentium (Command)), Java/Agent.HN (Avira), JAVA.Agent (Ikarus), Trojan-Downloader.Java.OpenConnection.ay (Kaspersky), Troj/JavaDL-AU (Sophos).
Explanation :
TrojanDownloader:Java/OpenStream.AL is a detection for a trojan Java applet that allows the downloading and execution of arbitrary files.
Top
TrojanDownloader:Java/OpenStream.AL is a detection for a trojan Java applet that allows the downloading and execution of arbitrary files. Installation TrojanDownloader:Java/OpenStream.AL may be invoked by a malicious website as a Java archive file (.JAR file extension). The applet is invoked from an HTML page by referencing a class file named "a$1.class" stored in the .JAR archive. In the wild, we have observed components named "a$1.class" and "KAVS.class" stored in the same .JAR archive. Payload Downloads arbitrary files When the malicious .JAR archive is processed by Java, a Java class component attempts to break Java sandbox security using an exploit described in CVE-2010-0840. The malicious HTML feeds the Java class component a specific URL of the file to download. The d ownloader checks if the operating system is Windows, and if so, downloads and runs an executable. When downloaded, the file will be saved as "<random digits>.exe" in the Temporary files folder.
Analysis by Chris StubbsLast update 23 October 2010