Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Update the JRE to the latest version.
  3. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


After launching the malicious HTML-document, using Java Script tools, it is decoded and a code is recorded in its body which carries out the following actions:

  • it launches a script, the location of which depends on the version of the trojan:

  • Using the "<APPLET>" tag, it launches the Java-applet. Depending on the trojan version, the name of the JAR-archive containing the applet may be changed:

    The class implementing the applet code may be named as follows:

  • It launches the applet, the class-file for which is located at the following address:
The launched Java-applets use the vulnerability CVE-2010-4452 in the "Deployment" component in the Java Runtime Environment (JRE) in Oracle Java SE (up to version 6, update 23) to download the file to the infected computer.

Technical Details

The trojan contains a function that allows it to launch certain malicious scripts, as well as Java-applets, using the vulnerability CVE-2010-4452 to download other malware to the infected computer. It is a HTML-document, containing Java Script. Depending on the version, it may be between 922 and 1648 bytes.