TrojanDownloader:Java/OpenConnection.AK

TrojanDownloader:Java/OpenConnection.AK is a trojan Java applet that could allow the downloading and execution of arbitrary malicious files.

TrojanDownloader:Java/OpenConnection.AK may be served from a malicious website as a Java .JAR archive "sunny.jar" with various sizes, normally around 14 Kb. The applet is invoked from an HTML page when referencing a class file "Changes.class" found inside a .JAR archive.

 

The archive has the following  class files: "Changes.class", "MyBuilds.class", "MyFiles.class". The names of the class files are not consistent; for instance, there are variations which include names such as "Services.class", "Gmerrews.class", "Patchers.class".

If the trojan applet is run on a vulnerable computer, the applet could allow the downloading and execution of arbitrary malicious files. The applet receives the URL for a file as a parameter, with a parameter name "data" and "cc". The parameters are defined inside an HTML document file that references the applet. This provides flexibility to the applet code which can be reused for a number of downloaded files only by changing the parameters "data" and "cc" inside the hosting webpage.

 

Once the applet is loaded by the Java virtual machine (JVM), the applet will attempt to download and store locally a file from a specified URL. The file is stored locally in a TEMP folder with a name "<random number>.exe". If successful the file is than executed as a separate process.

The name of the Java applet could be anything, and does not affect the applet's functionality. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification, it is often enough to purge the cache using a web browser's configurable security options.