Home / malware TrojanDownloader:Java/Rexec.G
First posted on 29 March 2012.
Source: MicrosoftAliases :
TrojanDownloader:Java/Rexec.G is also known as EXP/JAVA.Vedenbi.Gen (Avira), Java.Downloader.556 (Dr.Web), Downloader-FAP!991731987F5E (McAfee), Mal/JavaSca-A (Sophos).
Explanation :
TrojanDownloader:Java/Rexec.G a malicious Java applet that may allow the downloading and execution of arbitrary files. It is commonly used as a component in an exploit-based attack.
Top
TrojanDownloader:Java/Rexec.G a malicious Java applet that may allow the downloading and execution of arbitrary files. It is commonly used as a component in an exploit-based attack.
Installation
TrojanDownloader:Java/Rexec.G is the downloader component of Exploit:Java/CVE-2012-0507.A and Exploit:Java/CVE-2012-0507.B that targets the vulnerability described in CVE-2012-0507 (deserialization of "AtomicReferenceArray" objects vulnerability).
Specific to Exploit:Java/CVE-2012-0507.A and Exploit:Java/CVE-2012-0507.B, this malicious Java applet is constructed at runtime by the Java class detected as Exploit:Java/CVE-2012-0507.B.
Payload
Downloads other malware
It connects to a remote, hardcoded URL link to download and execute the malware payload of the exploit.
The downloaded binary, which is saved as %temp%\MOR.exe, is sometimes encoded with a simple XOR encryption.
In the wild, we have observed the following domains used by this threat to download malware:
- freshnewstoday.org
- js.feedir.com
- turbosaleinf.com
Among the downloaded malware is Win32/Zbot.
Analysis by Rex Plantado
Last update 29 March 2012
