Trojan.Java.Agent.an

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the following file:
    %Temp%\google.exe

  3. Clear the Temporary Internet Files directory which may contain infected files (How to delete infected files in the Temporary Internet Files folder?).
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: 989C5B5EADDF48010E62343D7A4DB6F4
SHA1: 18F8AE4E2B3ABC0C151E08E731AA9157C1DD08CA

Payload

The malicious JAR-archive contains the following files:

Meta-inf\Manifest.mf (71 bytes)
a6a7a760c0e (145 bytes)
a.class (7594 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")
aa79d1019d8.class (4360 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")
a4cb9b1a8a5.class (3559 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")
a66d578f084.class (590 bytes) ab16db71cdc.class (789 bytes) ab5601d4848.class (1130 bytes)
ae28546890f.class (864 bytes; detected by Kaspersky Antivirus as "Trojan.Java.Agent.an")
af439f03798.class (6135 bytes; detected by Kaspersky Antivirus as "Trojan-Downloader.Java.OpenConnection.cx")

The trojan is a Java-applet. It is launched from an infected HTML-page using the "<APPLET>"tag, for which a link to the downloadable file is transferred in encrypted form in the "a" parameter. After launching, the trojan uses the class "a" "__K" function to decode the link obtained using the following mappings for the input and output symbols:


Input symbols:

F#VD@YCR;LKU^ZBQ=&MGS!W%HP?TIK,,AN*J)O$X+E

Output symbols:
abcdefghij-klmnopqrstuvwxyz/.-::1234567890

The following substring is also attached to the unencrypted link:
?i=6

Using the link obtained, the trojan then downloads the file, saving it to the current user's temporary file directory as
%Temp%\google.exe

After successfully downloading the file, it is then launched for execution. The trojan only downloads and launches the file if the version of JRE (Java Runtime Environment) installed on the infected computer is between 1.5.0 and 1.6.0_18. If the version of JRE is between 1.6.0_19 and 1.6.0_21 and the "trigger" parameter transferred in the "<<APPLET>>"tag contains the "notie" or "isie" substrings, the following script will be launched using the "getAppletContext().showDocument" function:
javascript:JAVASKYLINE();

Technical Details

A trojan program that downloads files from the Internet without the user's knowledge and launches them. It is a JAR-archive containing a set of Java-classes (class-files). 15661 bytes.