JAVA_EXPLOYT.YYS

This Trojan may be hosted on a website and run when a user accesses the said website.

Arrival Details

This Trojan may be hosted on a website and run when a user accesses the said website.

Download Routine

This Trojan takes advantage of the following software vulnerabilities to download possibly malicious files:

• Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2012-0507)

It saves the files it downloads using the following names:

• %User Temp%\{random file name 1}.tmp
• %User Temp%\{random file name 2}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components:

• data
• jar
• lhost
• lport

NOTES:

This malware combines the two downloaded files into one file named %User Temp%\{random file name 3}.cpl. It does this by creating a batch file named %User Temp%\{random file name 3}.bat that contains the following command:

copy "%User Temp%\{random file name 1}.tmp" /b + "%User Temp%\{random file name 2}.tmp" %User Temp%\{random file name 4}.cpl /y"

This malware uses Windows Task Scheduler to create scheduled tasks for {random file name 3}.bat and {random file name 4}.cpl. In the said scheduled tasks, the file {random file name 3}.bat runs once 10 minutes after the malware JAVA_EXPLOYT.YYS is executed, while the file {random file name 4}.cpl runs once 11 minutes after the malware JAVA_EXPLOYT.YYS is executed. As a result, malicious routines of the downloaded files are exhibited on the affected system.