Exploit:Java/CVE-2010-0840.CQ

Installation

Exploit:Java/CVE-2010-0840.CQ is an obfuscated Java applet trojan 4527 bytes in size. The applet is referenced by the name "c2" and is distributed as a part of a Java archive (.jar) 8591 bytes in size. The JAR file contains two packages: "mark2" and "powerColor". Malicious applet and threat-related class files are located inside the "powerColor" package. In the wild, we have observed the package being detected with names related to the Internet Explorer cache files, however, the name is irrelevant for the trojan's functionality and may vary. The "powerColor" package also contains the following Java class files:

• c1

If successful, the trojan downloads, writes and executes an arbitrary file, stored within the Windows 'temp' folder with a file name <randomly generated numbers>.exe. The arbitrary file is referred by a URL string stored in a parameter "biint", which is specified inside the referencing the applet HTML file. The downloaded file is executed under the user's security context. The applet consists of the following member functions:

• part1
• part2
• part3
• part4
• c2
• start

When the applet is opened within a browser, an applet's "constructor", a member function c2 is executed, attempting to exploit the vulnerability. If the exploit is successful, the 'start' function facilitates the downloading and execution of an arbitrary file. The file is executed by invoking Runtime.exec function.

Additional information

It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options. 

Analysis by Oleg Petrovsky