Follow:

 

Exploit:Java/CVE-2010-0840.EW


Exploit:Java/CVE-2010-0840.EW is a detection for certain malicious Java applets that exploit a vulnerability of privilege escalation, described in CVE-2010-0840. The vulnerability is present in Java Runtime Environment (JRE) versions 5 and 6. Successful exploitation could lead to the download and execution of other malware.



What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Update vulnerable applications
This threat exploits known vulnerabilities in the Java Runtime Environment. After removing this threat, make sure that you install the updates available from the vendor. You can read more about these vulnerabilities in Java applets, as well as where to download the software update from the following links:
 
Over time, multiple vulnerable versions of Java may remain in your computer in separate folders. It is "highly recommended" that users remove all older versions of Java as keeping the older versions on your system present a security risk. See the following FAQ article:
 

Threat behavior

Exploit:Java/CVE-2010-0840.EW is a detection for certain malicious Java applets that exploit a vulnerability of privilege escalation, described in CVE-2010-0840. The vulnerability is present in Java Runtime Environment (JRE) versions 5 and 6. Successful exploitation could lead to the download and execution of other malware.

This exploit may be encountered when visiting a compromised web page. The modified page contains an injected malicious JavaScript that, when run, forms an IFrame to another web page containing the exploit. The exploit executes as an obfuscated JavaScript. It checks the version of Java and attempts to load the malicious Java applet detected as Exploit:Java/CVE-2010-0840.EW as a file named "worms.jar". This Java archive file contains the following other files:

  • MailAgent.class - detected as Exploit:Java/CVE-2010-0840.EW
  • Cid.class
  • ClassId.class
  • ClassType.class
  • VirtualTable.class
Payload

Downloads an arbitrary file
If the exploit executes successfully, it attempts to download arbitrary files from the following domains:

  • jisj23hgggjg.com
  • wfgytetwfds.com
  • sdi2u3i2h.com
  • hdjwuy2gvn.com
  • save.homeimprovementcharlotte.com
  • mhjildbgmfds.com

The exploit attempts to download and save the executable as a random file name and executes it via the following command shell instruction:

  • regsvr32 -s <downloaded file name>.exe

Analysis by Sergey Chernyshev


Symptoms

There are no common symptoms associated with this threat - links are activated within IFrames while viewing web content on maliciously modified pages. Alert notifications from installed antivirus software may be the only symptoms. 

Prevention


Alert level: Severe
First detected by definition: 1.107.1742.0
Latest detected by definition: 1.117.2303.0 and higher
First detected on: Jul 14, 2011
This entry was first published on: Jul 14, 2011
This entry was updated on: Oct 17, 2011

This threat is also detected as:
  • Java/Exploit.NF (AVG)
  • Exploit.CVE2010-0840.18 (Dr.Web)
  • Exploit.Java.CVE-2010-0840.db (Kaspersky)
  • Exploit/CVE-2010-0840.R (Norman)
  • Troj/JavaMI-Gen (Sophos)
  • Trojan.Maljava (Symantec)