Home / malwarePDF  

TrojanDownloader:Java/OpenStream.AM


First posted on 23 November 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Java/OpenStream.AM is also known as Trojan-Downloader.Java.Agent.hx (Kaspersky), Java.Trojan.Downloader.OpenConnection.AI (BitDefender), Java/SillyDlJava.AJ (CA), Java.Downloader.123 (Dr.Web), Trojan.Java.Agent.db (Sunbelt Software).

Explanation :

TrojanDownloader:Java/OpenStream.AM is a detection for a trojan Java applet that allows the downloading and execution of arbitrary files.
Top

TrojanDownloader:Java/OpenStream.AM is a detection for a trojan Java applet that allows the downloading and execution of arbitrary files. Installation TrojanDownloader:Java/OpenStream.AM may be invoked by a malicious website as a Java archive file (.JAR file extension). The applet is invoked from an HTML page by referencing a class file named "a$1.class" stored in the .JAR archive. In the wild, we have observed components named "a.class", "a$1.class","b.class" and "KAVS.class" stored in the same .JAR archive. Payload Downloads arbitrary files When the malicious .JAR archive is processed by Java, a Java class component attempts to break Java sandbox security using an exploit described in CVE-2010-0840. The malicious HTML feeds the Java class component a specific URL of the file to download. The downloader checks if the operating system is Windows, and if so, downloads and runs an executable. When downloaded, the file will be saved as "<random digits>.exe" in the Temporary files folder.

Analysis by Wei Li

Last update 23 November 2010

 

TOP

Malware :