Exploit:Java/CVE-2010-0840.W is a detection for a malicious and obfuscated Java class that exploits the vulnerability described in CVE-2010-0840. Successful exploitation leads to remote code execution.
When a user visits a website that contains the class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, allowing arbitrary code to be executed.
When loaded, the malicious Java class checks if the computer is running a Windows Operating System, and if so, proceeds with its installation process.
In the wild, the malicious Java class is bundled with other non-malicious Java class applets, and may be present as the following:
bpac\a.class - detected as Exploit:Java/CVE-2010-0840.W
Downloads and executes arbitrary files
When the exploitation is successful, Exploit:Java/CVE-2010-0840.W attempts to download and execute a malicious program from a specified URL.
In the wild, we have observed the downloaded binary file "a" being stored with Exploit:Java/CVE-2010-0840.W. The downloaded program is saved as %TEMP%\<number>.exe, where <number> is a random number.
Analysis by Vincent Tiu