Follow:

 

Exploit:Java/CVE-2010-0840.OG


Exploit:Java/CVE-2010-0840.OG is an obfuscated Java class that exploits a vulnerability described in CVE-2010-0840. Successful exploitation may lead to the download and execution of arbitrary files within the user's security context. When a user visits a website that contains this malicious Java class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, which could allow arbitrary code execution.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Update vulnerable Java applications

This threat exploits a known vulnerability in Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about this vulnerability in Java, as well as where to download the software update from the following links:

It may be necessary to remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information.

 

Threat behavior

Exploit:Java/CVE-2010-0840.OG is an obfuscated Java class that exploits a vulnerability described in CVE-2010-0840. Successful exploitation may lead to the download and execution of arbitrary files within the user's security context. When a user visits a website that contains this malicious Java class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, which could allow arbitrary code execution.
Installation
Exploit:Java/CVE-2010-0840.OG is commonly stored or bundled within a JAR (Java archive) file and hosted on a compromised web page. In the wild, we have observed that the malicious Java class is bundled with other non -malicious Java classes within a .JAR file, as in the following example file set:
 
  • Ooo.class - detected as Exploit:Java/CVE-2010-0840.OG
  • Ooo$1.class
  • fftubny.class
  • Idmer.class
  • jy1gjdg.class
  • Mentry.class
Payload
Downloads arbitrary files
Exploit:Java/CVE-2010-0840.OG decrypts a URL that is embedded as a parameter, within the HTML page that it is loaded from, to download and run arbitrary files. The downloaded file is saved and executed as:
  • %TEMP%\<random file name> (for example, "%TEMP%\rrrsas.exe")
The file could include additional malware of an attacker's choice. 
 
Analysis by Wei Li

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

 

Prevention


Alert level: Severe
This entry was first published on: Feb 02, 2012
This entry was updated on: Feb 28, 2012

This threat is also detected as:
No known aliases