JAVA_EXPLOYT
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
EXPLOYT variants may arrive on a system bundled with malware or grayware packages, or hosted on a website and runs when a user accesses said website.
EXPLOYT malware takes advantage of certain vulnerabilities to download malicious files onto the affected system. It does this by using an exploit kit that allows anattacker to take advantage of most known vulnerabilities.
Successful exploitation of the vulnerabilities executes a shell code which will trigger the download and execution of malware. Most of the downloaded files can give criminals remote control over the infected machine, and thus steal user-critical information such as online banking login credentials, email passwords and the like. Systems infected with EXPLOYT malware may be considered security-compromised.
This Trojan arrives as a component bundled with malware/grayware packages.
It takes advantage of certain vulnerabilities.
TECHNICAL DETAILS
Yes
Compromises system security, Connects to URLs/IPs, Downloads files
Arrival Details
This Trojan arrives as a component bundled with malware/grayware packages.
Download Routine
This Trojan connects to the following website(s) to download and execute a malicious file:
- http://{Random}.changeip.name/temp/newyear/{Random Number}/?whole=98
It saves the files it downloads using the following names:
- %User Temp%\hfgTy\{Random Numbers}.tmp.exe
- %User Profile%\awt43abr.exe
- %User Profile%\berstrestvers.exe
- %User Profile%\bawt34tv.exe
- %User Profile%\tab4vrtve.exe
- %User Profile%\wgsdgsdgdsgsd.exe
- %User Profile%\ab43yctewatv.exe
- %User Profile%\a43vtzgbdgv.exe
- %User Profile%\atv4tvq34.exe
- %User Profile%\bg34dfbewgba4.exe
- %User Profile%\av4a43by4ayb.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components:
- val
- prime
Other Details
This Trojan takes advantage of the following vulnerabilities:
- CVE-2011-3544
- CVE-2012-5076
- CVE-2012-4681
- CVE-2012-1723
- CVE-2013-0422
- CVE-2012-0507
It executes the downloaded file using the following commands:
- regsvr32 -s %User Profile%\{file name}.exe
- %User Profile%\{file name}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)