Follow:

 

Trojan:Java/Boonana


Trojan:Java/Boonana is the detection for a Java archive (.JAR) file that connects to a remote server to download files and to send information about the user's activities. It is known to be distributed as a link in messages in popular social networking sites such as Facebook. This trojan contains components that are installed on both Mac and Windows operating systems.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Java/Boonana is the detection for a Java archive (.JAR) file that connects to a remote server to download files and to send information about the user's activities. It is known to be distributed as a link in messages in popular social networking sites such as Facebook. This trojan contains components that are installed on both Mac and Windows operating systems.
Installation
Trojan:Java/Boonana may be hosted on a website and installed by unsuspecting users. Users of social networking sites such as Facebook may receive messages containing a link to the website. When a user clicks on the hyperlink, they are prompted to run a Java applet named "JPhotoAlbum.jar", which is detected as Trojan:Java/Boonana. It contains several components:
 
  • start.class - contains the main method and initialization functions
  • classprotect.class - contains the methods to download different file input streams from a given URL
  • a.jad - contains the methods to execute remote files
  • lake.jad - capture screenshots and download files (see Payload section below)
  • jphotoalbum.jad - encodes and decodes URLs, download files
 
When run, Trojan:Java/Boonana also drops the following files:
 
  • "._" - batch file
  • "_" - Java JAR file containing malicious java classes
  • "logo.gif" - clean GIF file
  • ".vbs"- VBS script used to call the Java runtime library
Payload
Connects to a remote server
Trojan:Java/Boonana uses its dropped batch file in an attempt to connect to "ftp.deal-bank.ru" using TCP port 21.
 
It steals and then sends the following information to the server:
 
  • screenshots
  • mouse events
 
It can also download and execute arbitrary files from the server.
 
Downloads other files
Trojan:Java/Boonana downloads other files
 
 
The above files may be downloaded from various domains with names in the following format:
<random string>.<domain>
 
For example:
 
38ffqm9bju.lachgastuning.info
5oc7hzqqi9.strangled.net
3atyhpxj7r.semashare.com
 
In the wild, some of the domains it is known to download files from are:
 
aintno.info
animefocus.com
animelink.com
bigbox.info
braintec.ch
com.ru
desmoineshockey.com
digital-forever.com
dis-cover.info
drugdealer24.info
freezed.info
gna.biz
hardcoretorrents.org
hopto.org
ignorelist.com
kaleebso.com
kokchat.tk
lachgastuning.info
lamer.la
lesbianbath.com
milstone.net
milstone.org
mirkforce.de
mooo.com
myftp.org
myrkraverk.net
myvnc.com
net.ru
njhurst.org
no-ip.info
no-ip.org
ohbah.com
one.pl
phyllisdiller.us
pisoft.ch
pornandpot.com
professionalcopy.net
redirectme.net
requiemproject.org
sektori.org
semashare.com
serveblog.net
servecounterstrike.com
serveftp.com
servepics.com
shell.la
slowblog.com
spacetechnology.net
stevepostma.com
stfu-kthx.net
strangled.net
sullyhome.net
sytes.net
tallerideas.com
tobban.com
toutges.us
us.to
verymad.net
worldcom.bz
yourwebhostingcompany.net
zapto.org
 
Analysis by Jaime Wong

Symptoms

The following may indicate the presence of this malware:
  • You receive a message from a friend in Facebook or another social networking website containing a link. When you click on the link, you are prompted to install a Java applet.

Prevention


Alert level: Severe
First detected by definition: 1.93.731.0
Latest detected by definition: 1.99.1126.0 and higher
First detected on: Oct 29, 2010
This entry was first published on: Nov 01, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-Downloader.Java.Alboto.a (Kaspersky)
  • Trojan.Jnana.1 (Dr.Web)
  • Java/Boonana.A (ESET)
  • Boonana (McAfee)
  • Troj/Boonana-A (Sophos)
  • Trojan.Jnanabot (Symantec)
  • JAVA_JNANA.A (Trend Micro)