is an obfuscated Java class
that exploits a vulnerability described in CVE-2010-0840
. Successful exploitation may lead to the download and execution of arbitrary files within the user's security context. When a user visits a website that contains this malicious Java class
using a computer that has a vulnerable version of Sun Java
, security checks may be bypassed, which could allow arbitrary code execution.
is commonly stored or bundled within a JAR (Java archive) file and hosted on a compromised web page. In the wild, we have observed that the malicious Java class is bundled with other non -malicious Java classes within a .JAR file, as in the following example file set:
- detected as Exploit:Java/CVE-2010-0840.OG
Downloads arbitrary files
decrypts a URL that is embedded as a parameter, within the HTML page that it is loaded from, to download and run arbitrary files. The downloaded file is saved and executed as:
%TEMP%\<random file name> (for example, "%TEMP%\rrrsas.exe")
The file could include additional malware of an attacker's choice.
Analysis by Wei Li
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.