Follow:

 

TrojanDownloader:Java/OpenConnection.OS


TrojanDownloader:Java/OpenConnection.OS is a Java applet trojan that may allow the downloading and execution of arbitrary malicious files.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Update vulnerable applications

This threat may exploit a known vulnerability in the Java Runtime Environment (JRE). To prevent your computer from being vulnerable to this malware, make sure that you install the updates available from the vendor. You can read more about this vulnerability from the following links:

Threat behavior

TrojanDownloader:Java/OpenConnection.OS is a Java applet trojan that may allow the downloading and execution of arbitrary malicious files.

Installation

TrojanDownloader:Java/OpenConnection.OS may be served from a malicious website as a Java archive (JAR) file, and has been observed exploiting the vulnerability described in CVE-2010-0840.

The applet is often bundled with TrojanDownloader:Java/OpenConnection.OU.

Payload

Downloads arbitrary files

The trojan attempts to download and execute arbitrary files from the remote server 'quemoten.com'.

In the wild, we have observed the trojan downloading the following files:

  • <removed>/aroma.gif
  • <removed>/webing.png

Analysis by Patrik Vicol


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    <removed>/aroma.gif
    <removed>/webing.png

 

 


Prevention


Alert level: Severe
First detected by definition: 1.111.2044.0
Latest detected by definition: 1.151.1570.0 and higher
First detected on: Sep 12, 2011
This entry was first published on: Sep 27, 2011
This entry was updated on: Oct 04, 2011

This threat is also detected as:
No known aliases