If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
- Delete the following files:
- Update Sun Java JRE and JDK to the latest versions.
- Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
The trojan is implemented as a class named "GoogleSearch", and is a Java-applet. It is launched from an infected HTML-page using the "<APPLET>" tag, for which a string containing encrypted links to the downloadable files is transferred in the "aaa" parameter. The links in this string are separated by the symbols "::". After launching, the trojan deciphers the links received using the "replaceAll" function. When decoding, the following mapping is used for input and output symbols:
Later in the cycle, the files are downloaded from the unencrypted links. The executable file (.exe) or the dynamic-link library (.dll) may be downloaded from each link. The downloaded files are saved in the current user's temporary file directory as
where <rnd> is random fractional decimals between 0 and 1.
After a successful download, the executable file is launched. If downloading a dynamic-link library, this is launched using the "regsvr32.exe" system utility:
regsvr32 -s %Temp%\<rnd>.dll
During its implementation, the trojan uses the vulnerability CVE-2010-0840 in JRE (Java Runtime Environment). This vulnerability appears as a result of an incorrect validation when running preferred methods in JRE, which allows the attacker to execute an arbitrary code using an object that has been modified in a certain way, as a sub-class of the proxy class. This vulnerability allows the trojan to track and use methods which are not available for the Java-applet class which is a sub-class of the non-privileged "Applet" class.
A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a Java-class (class-file). 6422 bytes.