JAVA_BEYOND.A
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses a file name similar to a legitimate file to pass as a legitimate file.
It saves downloaded files into the said created folder.
This file contains a URL where it connects to possibly download other files.
TECHNICAL DETAILS
77,454 bytes
Java Class, JAR
07 Sep 2012
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan creates the following folders:
- %User Temp%\hsperfdata_winxp
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It uses a file name similar to a legitimate file to pass as a legitimate file.
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CLASSES_ROOT\Applications\javaw.exe\
shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\javaw.exe\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{F4C1E312-9D6A-7ED3-E25E-E8C403C69C4C}
It adds the following registry entries:
HKEY_CLASSES_ROOT\Applications\javaw.exe\
shell\open\command
Default = ""C:\Program Files\Java\jre6\bin\javaw.exe" -jar "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\javaw.exe\shell\
open\command
Default = ""C:\Program Files\Java\jre6\bin\javaw.exe" -jar "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{F4C1E312-9D6A-7ED3-E25E-E8C403C69C4C}
StubPath = "CMd /q /C start "" /I /B JAvAw.Exe -classpath "%User Temp%\jar_cache5906588338763665408.tmp" a"
Download Routine
This Trojan saves the files it downloads using the following names:
- %User Temp%\hsperfdata_winxp\{random letters}.{random extension names}
- %User Temp%\hsperfdata_winxp\{random filename}.exe
- %User Temp%\hsperfdata_winxp\{random numbers}
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It saves downloaded files into the said created folder.
Other Details
This file contains a URL where it connects to possibly download other files. As of this writing, this file contains the following URLs:
- youporn.com
- go.com
- orkut.com
- hotfile.com
- rapidshare.com
- nytimes.com
NOTES:
The aforementioned URLs may have been used or attempted to be used as file hosting sites for the malware. The domains are not malicious in nature.