Follow:

 

Exploit:Java/CVE-2010-0840.W


Exploit:Java/CVE-2010-0840.W is a detection for a malicious and obfuscated Java class that exploits the vulnerability described in CVE-2010-0840. Successful exploitation leads to remote code execution.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Update vulnerable applications
This threat exploits a known vulnerability in the Java Runtime Environment (JRE). To prevent your computer from being vulnerable to this malware, make sure that you install the updates available from the vendor. You can read more about this vulnerability from the following links:
 
Over time, multiple vulnerable versions of Java may remain in your computer in separate folders. It is "highly recommended" that users remove all older versions of Java as keeping the older versions on your system present a security risk. See the following FAQ article:

Threat behavior

Exploit:Java/CVE-2010-0840.W is a detection for a malicious and obfuscated Java class that exploits the vulnerability described in CVE-2010-0840. Successful exploitation leads to remote code execution.
 
When a user visits a website that contains the class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, allowing arbitrary code to be executed.
Installation
When loaded, the malicious Java class checks if the computer is running a Windows Operating System, and if so, proceeds with its installation process.
 
In the wild, the malicious Java class is bundled with other non-malicious Java class applets, and may be present as the following:
  • bpac\a.class - detected as Exploit:Java/CVE-2010-0840.W
  • bpac\a$1.class
  • bpac\b.class
  • bpac\kavs.class
Payload
Downloads and executes arbitrary files
When the exploitation is successful, Exploit:Java/CVE-2010-0840.W attempts to download and execute a malicious program from a specified URL.
 
In the wild, we have observed the downloaded binary file "a" being stored with Exploit:Java/CVE-2010-0840.W. The downloaded program is saved as %TEMP%\<number>.exe, where <number> is a random number.
 
Analysis by Vincent Tiu

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
This entry was first published on: Jan 18, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases