Follow:

 

Exploit:JS/Mult.DU


Exploit:JS/Mult.DU is a trojan that runs various exploit codes depending on the version of Java installed in the affected computer. It may also send certain information to a remote attacker.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Update vulnerable Java applications

This threat exploits known vulnerabilities in Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about vulnerabilities in Java, as well as where to download the software update from the following links:

It may be necessary to remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information.

Threat behavior

Exploit:JS/Mult.DU is a trojan that runs various exploit codes depending on the version of Java installed in the affected computer. It may also send certain information to a remote attacker.

Installation

Exploit:JS/Mult.DU may arrive in the computer if the user visits a webpage hosting it. If it fails to execute properly, it connects to the server eurolove<removed>.cu.cc to report the error.

Payload

Runs other malware
Exploit:JS/Mult.DU checks for the Java version installed in the computer. Depending on the version installed, it may attempt to exploit the following vulnerabilities:

  • CVE-2010-4452 - if successfully exploited, it loads a webpage from the address 95.16<removed>.73.152
  • CVE-2010-0094 - if successfully exploited, it loads a webpage from the server eurolove<removed>.cu.cc
  • CVE-2010-3552 - if successfully exploited, it loads a webpage from the server eurolove<removed>.cu.cc
  • CVE-2010-0886 - if the browser is Internet Explorer
  • Microsoft Security Bulletin MS06-014 - if successfully exploited, it downloads a file named "kb885265.exe" from the server eurolove<removed>.cu.cc

Steals system information>
Exploit:JS/Mult.DU sends the following information to the remote server "eurolove<removed>.cu.cc":

  • Time zone of the computer
  • Display information (screen width, screen height, and color depth)
  • Java version installed
  • Browser user agent

Analysis by Daniel Chipiristeanu


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.107.2008.0
Latest detected by definition: 1.107.2008.0 and higher
First detected on: Jul 18, 2011
This entry was first published on: Jul 20, 2011
This entry was updated on: Aug 04, 2011

This threat is also detected as:
  • JS/Redir.FH (Norman)
  • Trojan.JS.Redirector.qb (Kaspersky)