Threat behavior
TrojanDownloader:Java/OpenConnection.AO is a trojan Java applet that allows the downloading and execution of arbitrary and malicious files.
Installation
TrojanDownloader:Java/OpenConnection.AO may be invoked by a malicious website as a Java .JAR archive. The applet is invoked from an HTML page by referencing the "Inicio.class" stored in the .JAR file.
In the wild, we have observed the malicious file "Inicio.class" accompanied by "Connect4Kernel.class" and "Connect4.class" that create a one player “Connect 4” game.
Note: This game has nothing to do with the malicious content.
Payload
Downloads arbitrary files
The malicious HTML feeds “Inicio.class” the URL of the file to download by supplying a parameter named "url" in the invocation of the class.
TrojanDownloader:Java/OpenConnection.AO will attempt to download the supplied file. When downloaded, the file will be saved as "javatmp<random digits>.exe" in the temporary directory.
If the downloaded file is greater than one byte, TrojanDownloader:Java/OpenConnection.AO will attempt to run the file either by invoking Java - if the file extension is ".jar" - or by executing the file using Java Runtime.Exec() method for all other file extensions. If there is an error running a file, TrojanDownloader:Java/OpenConnection.AO attempts to create and run it in a batch file.
Analysis by Michael Johnson
Prevention