search

JAVA_BEYOND.A

October 09, 2012
 Analysis by: Jed Valderama
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses a file name similar to a legitimate file to pass as a legitimate file.

It saves downloaded files into the said created folder.

This file contains a URL where it connects to possibly download other files.

  TECHNICAL DETAILS

File Size:

77,454 bytes

File Type:

Java Class, JAR

Initial Samples Received Date:

07 Sep 2012

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan creates the following folders:

  • %User Temp%\hsperfdata_winxp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It uses a file name similar to a legitimate file to pass as a legitimate file.

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CLASSES_ROOT\Applications\javaw.exe\
shell

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\javaw.exe\shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{F4C1E312-9D6A-7ED3-E25E-E8C403C69C4C}

It adds the following registry entries:

HKEY_CLASSES_ROOT\Applications\javaw.exe\
shell\open\command
Default = ""C:\Program Files\Java\jre6\bin\javaw.exe" -jar "%1" %*"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\javaw.exe\shell\
open\command
Default = ""C:\Program Files\Java\jre6\bin\javaw.exe" -jar "%1" %*"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{F4C1E312-9D6A-7ED3-E25E-E8C403C69C4C}
StubPath = "CMd /q /C start "" /I /B JAvAw.Exe -classpath "%User Temp%\jar_cache5906588338763665408.tmp" a"

Download Routine

This Trojan saves the files it downloads using the following names:

  • %User Temp%\hsperfdata_winxp\{random letters}.{random extension names}
  • %User Temp%\hsperfdata_winxp\{random filename}.exe
  • %User Temp%\hsperfdata_winxp\{random numbers}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It saves downloaded files into the said created folder.

Other Details

This file contains a URL where it connects to possibly download other files. As of this writing, this file contains the following URLs:

  • youporn.com
  • go.com
  • orkut.com
  • hotfile.com
  • rapidshare.com
  • nytimes.com

NOTES:

The aforementioned URLs may have been used or attempted to be used as file hosting sites for the malware. The domains are not malicious in nature.