Technical Details

This Trojan exploits a vulnerability in Oracle Java SE (CVE-2010-0840) to execute a random code on a vulnerable system. It is a Java class file. It is 6592 bytes in size.


A malicious Java applet is activated after an infected HTML page is opened in the user's browser. The applet is launched by means of an "<applet>" HTML tag for which the application's main class is indicated as one of parameters:


The JAR archive contains this malicious class:

as well as the "pid" parameter value containing an encrypted link. The exploit uses a vulnerability that enables the malicious applet to call privileged methods without a proper security check (CVE-2010-0840). This is how the exploit can execute a random code on the vulnerable system. Oracle Java SE and Java for Business are vulnerable:
  • Java Development Kit (JDK) and Java Runtime Environment (JRE) 6.0, 18th update and earlier versions for Windows, Solaris and Linux;
  • Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0, 23rd update and earlier versions for Solaris;
  • Software Development Kit (SDK) 1.4.2, 25th update and earlier versions for Solaris.

After exploiting this vulnerability, the malware decrypts the link and uses it to download a file. The downloaded file is saved in the current user's temporary files directory under the name:


where rnd is a random fractional number, for example, "0.8608151138918041" or "0.6955395946128761". The executable file is then launched for execution.

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
  2. Update Oracle Java JRE and JDK to the latest versions.
  3. Empty the Temporary Internet Files directory, which contains infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%

  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

[MD5: 3dbebab0fa1b98e1ea72174562734629]
[SHA1: ab07e2ed064897c562870cc8628aa3a445e06a58]