Follow:

 

Exploit:Java/CVE-2010-0840.BU


Exploit:Java/CVE-2010-0840.BU is the detection for a malicious Java applet trojan that exploits a vulnerability described in CVE-2010-0840. Successful exploitation may lead to the downloading and execution of arbitrary files under the user's security context.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional removal instructions
This threat may be present in your Temporary Internet Files folder. We recommend that you delete your temporary Internet files to prevent the persistent detection of this threat from within the Temporary Internet Files folder.
 
To delete the temporary Internet files from Internet Explorer, refer to the following articles:

Threat behavior

Exploit:Java/CVE-2010-0840.BU is the detection for a malicious Java applet trojan that exploits a vulnerability described in CVE-2010-0840. Successful exploitation may lead to the downloading and execution of arbitrary files under the user's security context.
Installation
Exploit:Java/CVE-2010-0840.BU is an obfuscated Java applet trojan 2212 bytes in size. The applet is referenced by the name "a"and is distributed as a part of a Java archive (.jar) package 3738 bytes in size. In the wild, we have observed the package being detected with names related to the Internet Explorer cache files, such as "ymdsevxrdpftgo.jar" or "yzcmftirjmbt.jar". However, the name is irrelevant for the trojan's functionality and may vary. The package also contains the following Java class files:
 
  • KAVS
  • b
 
When executed, the trojan attempts to exploit a vulnerability described in CVE-2010-0840 to gain the user's account security privileges on the targeted computer. The vulnerability affects Java Runtime Environment (JRE) up to version 6 update 18.
 
If successful, the trojan downloads, writes and executes an arbitrary file, stored within the Windows 'temp' folder. The arbitrary file is referred by a URL string stored in a parameter "a", which is specified inside referencing the applet HTML file. The downloaded file is executed under the user's security context. The applet consists of the following member functions:
 
  • a
  • start
 
When the applet is opened within a browser, the 'a'function is executed first. If the exploit is successful, the 'start'function facilitates the downloading and execution of an arbitrary file. The other class files in the .jar package serve to obfuscate the Java applet and the strings within.
Additional information
It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.
 
Analysis by Oleg Petrovsky

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
This entry was first published on: Mar 22, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-Downloader.Java.OpenConnection.bu (Kaspersky)
  • Java.Trojan.Downloader.OpenConnection.AI (BitDefender)
  • Troj/JavaBz-E (Sophos)