Trojan-Downloader.Java.Agent.lc

The Java class “sob” is part of the JAR archive and is part of a single malware.

Technical details

Trojan, which without the knowledge of the user downloads other software on the computer and launches it for execution. It is a Java class (class-file). It has the size of 3458 bytes.

Destructive Activity

The Java class “sob” is part of the JAR archive and is part of a single malware. The following components of the Trojan are also stored in the archive:

asdfgh4.class - 212 bytes qwertyu45.class - 259 bytes sob $ 1.class - 457 bytes v567345.class - 330 bytes 

Activation of a malicious Java applet occurs after opening an infected HTML page in the user’s browser. The launch is performed using the HTML tag “<applet>”, for which, as one of the parameters, the main applet class is specified.The parameter, “url”, is passed from the HTML page to the applet. The value of the parameter “url” is an array of links, which are separated by the symbol “@”. Further received links are used to download other malicious software.

The Trojan exploits a vulnerability that allows a malicious applet to invoke privileged methods without proper security checks (CVE-2010-0840). Thus, a malicious user can execute arbitrary code on a vulnerable system. Vulnerable are Oracle Java SE and Java for Business:

  • Java Development Kit (JDK) and Java Runtime Environment (JRE) 6.0 version 18 updates and earlier for Windows, Solaris and Linux;
  • Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 version 23 updates and earlier for Solaris;
  • Software Development Kit (SDK) 1.4.2 version 25 updates and earlier for Solaris.

After successful exploitation of the vulnerability, the malicious program downloads files from the received links. The files are saved in the temporary user’s temporary storage directory with the following names:

% Temp% \ ms <rnd> cfg32.exe

where rnd is the serial number of the file being uploaded. Then, using the command line, the Trojan starts the downloaded files for execution.

Leave a Reply