If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
- Update the JRE to the latest version.
- Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
After launching the malicious HTML-document, using Java Script tools, it is decoded and a code is recorded in its body which carries out the following actions:
- it launches a script, the location of which depends on the version of the trojan:
http://www.anr***ezrs.net/placeholder-4211928?target=_top&mouseover=Y http://www.anr***ezrs.net/placeholder-4211915?target=_top&mouseover=Y http://www.anr***ezrs.net/placeholder-4211938?target=_top&mouseover=Y http://www.k***yfj.com/placeholder-4211931?target=_top&mouseover=Y
- Using the "<APPLET>" tag, it launches the Java-applet. Depending on the trojan version, the name of the JAR-archive containing the applet may be changed:
The class implementing the applet code may be named as follows:
- It launches the applet, the class-file for which is located at the following address:
The trojan contains a function that allows it to launch certain malicious scripts, as well as Java-applets, using the vulnerability CVE-2010-4452 to download other malware to the infected computer. It is a HTML-document, containing Java Script. Depending on the version, it may be between 922 and 1648 bytes.