Trojan:Java/Boonana is the detection for a Java archive (.JAR) file that connects to a remote server to download files and to send information about the user's activities. It is known to be distributed as a link in messages in popular social networking sites such as Facebook. This trojan contains components that are installed on both Mac and Windows operating systems.
Trojan:Java/Boonana may be hosted on a website and installed by unsuspecting users. Users of social networking sites such as Facebook may receive messages containing a link to the website. When a user clicks on the hyperlink, they are prompted to run a Java applet named "JPhotoAlbum.jar", which is detected as Trojan:Java/Boonana. It contains several components:
start.class - contains the main method and initialization functions
classprotect.class - contains the methods to download different file input streams from a given URL
a.jad - contains the methods to execute remote files
lake.jad - capture screenshots and download files (see Payload section below)
jphotoalbum.jad - encodes and decodes URLs, download files
When run, Trojan:Java/Boonana also drops the following files:
"._" - batch file
"_" - Java JAR file containing malicious java classes
"logo.gif" - clean GIF file
".vbs"- VBS script used to call the Java runtime library
Connects to a remote server
Trojan:Java/Boonana uses its dropped batch file in an attempt to connect to "ftp.deal-bank.ru" using TCP port 21.
It steals and then sends the following information to the server:
It can also download and execute arbitrary files from the server.
Downloads other files
Trojan:Java/Boonana downloads other files
The above files may be downloaded from various domains with names in the following format:
In the wild, some of the domains it is known to download files from are:
Analysis by Jaime Wong
The following may indicate the presence of this malware: