Threat behavior

Exploit:Java/CVE-2012-0507.B is the detection for a malicious Java applet stored within a Java archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33. The vulnerability is described in CVE-2012-0507.

The vulnerability exploits a flaw in the deserialization of "AtomicReferenceArray" objects, which allows remote attackers to call system level Java functions via the ClassLoader of a constructor that is being deserialized without proper sandboxing.


The attacker may host a malicious script on a website. If a user visits the site, the script loads the Java applet.

The malicious Java package may contain the following malicious Java class files:


Downloads other malware

The file "Test.class" triggers the vulnerability. It then calls the function "doWork()" inside the file "Help.class" to act as class loader.

The loader class creates another class file at runtime and loads it with elevated privileges. This class, which is detected as TrojanDownloader:Java/Rexec.G, downloads malware from a certain server and executes it as "%Temp%\mor.exe". The downloaded file is a variant of Win32/Zbot.

In the wild, we have observed this malware downloading files from the server "".

Analysis by Rex Plantado


There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Alert level: Severe
First detected by definition: 1.121.1528.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 14, 2012
This entry was first published on: Mar 14, 2012
This entry was updated on: Mar 26, 2012

This threat is also detected as:
  • Java.Downloader.AC (Ikarus)
  • Exploit.Java.CVE-2012-0507.a (Kaspersky)
  • Exploit-CVE2012-0507 (McAfee)