Follow:

 

Exploit:Java/CVE-2009-3867.HD


Exploit:Java/CVE-2009-3867.HD is a Java applet that attempts to exploit vulnerabilities described in CVE-2009-3867 and CVE-2009-3868 that may allow the execution of an arbitrary code with escalated privileges.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional recovery instructions
This threat exploits known vulnerabilities in Sun Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about the vulnerability, as well as where to download the software update from the following links:

Threat behavior

Exploit:Java/CVE-2009-3867.HD is a Java applet that attempts to exploit vulnerabilities described in CVE-2009-3867 and CVE-2009-3868 that may allow the execution of an arbitrary code with escalated privileges.
Installation
Exploit:Java/CVE-2009-3867.HD may be encountered when visiting a malicious Web page. If the applet is opened within a vulnerable computer, it may allow execution of arbitrary code with escalated privileges.
 
When loaded, the applet checks whether the computer is running Windows. If not, it terminates itself.
Payload
Executes arbitrary code
Depending on the version of Java installed, Exploit:Java/CVE-2009-3867.HD will do either of the following:
 
  • Attempts to exploit CVE-2009-3867 and execute arbitrary codes to download and execute arbitrary file as "%TEMP%\pdfupd.exe".
  • Attempts to exploit CVE-2009-3868 through "LoaderX.class" (detected as Exploit:Java/CVE-2008-5353.JJ), which loads malicious java class "DyesyasZ.class" (detected as TrojanDownloader:Java/OpenConnection.ES) with elevated permission. Then downloads remote file as "%TEMP%\<RANDOM>.EXE".
Additional Information
It is not uncommon for antivirus software to detect malicious Java applets in a Web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage a Web page with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a Web browser's configurable security options.
 
See the following link for more information about the vulnerability described in CVE-2009-3867 and CVE-2009-3868:
 
Analysis by Rodel Finones

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
This entry was first published on: Sep 01, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases