Lost control of your system? Java.Trojan.Downloader.OpenConnection has it
• Suddenly your system’s response time drops dramatically, restarting the PC takes a lot of time, and surfing on the Internet is slow.
• Your desktop shortcuts are all messed up, and some are new and not all of them created by you.
• You don’t recognize your own browser’s homepage, which now redirects you towards some advertising webpage, while collecting info related to your browsing habits and further critical data, behind your back. Additionally to being redirected towards a bogus homepage, popup ads start bombarding you even when you are not connected to the Internet.
• Furthermore, e-mail messages are written and sent on your behalf to your list of friends. These emails contain either spam or malware.
It sounds like a horror movie, but it is not. At this point you probably got infected with Java.Trojan.Downloader.OpenConnection.AI – a malicious Java™applet that downloads and executes arbitrary files.
You can get infected easily as this Trojan “travels” disguised as a Java archive. The applet uses the CVE-2010-0840 exploit to bypass the Java sandbox.
The JAR file contains four class files in the bpac package:
- a.class- the applet;
- b.class- the URL decrypter.
The applet generates a random name for the executable in the system temporary directory. The applet checks what operating system is installed on the computer, and then it starts downloading the malicious file and executes it with a call to Runtime#exec.
This is only one of the many pieces of malware using the versatility of Java in order to spread havoc into users’ computers. You may remember the Boonana Trojan, or the fake Youtube applet we have analyzed earlier in February. In order to stay safe, try to avoid installing third-party plugins from websites you don’t fully trust. Using an antivirus solution will also increase your level of protection and might save you hours of maintenance.
This article is based on the technical information provided courtesy of Csaba-Zsolt Juhos, BitDefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.