â€¢ Suddenly your systemâ€™s response time drops dramatically, restarting the PC takes a lot of time, and surfing on the Internet is slow.
â€¢ Your desktop shortcuts are all messed up, and some are new and not all of them created by you.
â€¢ You donâ€™t recognize your own browserâ€™s homepage, which now redirects you towards some advertising webpage, while collecting info related to your browsing habits and further critical data, behind your back. Additionally to being redirected towards a bogus homepage, popup ads start bombarding you even when you are not connected to the Internet.
â€¢ Furthermore, e-mail messages are written and sent on your behalf to your list of friends. These emails contain either spam or malware.
It sounds like a horror movie, but it is not. At this point you probably got infected with Java.Trojan.Downloader.OpenConnection.AIÂ – a malicious Javaâ„¢applet thatÂ downloads and executes arbitrary files.
You can get infected easily as this Trojan â€œtravelsâ€ disguised as a Java archive. The applet uses theÂ CVE-2010-0840 exploit to bypass the Java sandbox.
The JAR file contains four class files in the bpac package:
- a.class– the applet;
- b.class– the URL decrypter.
The applet generates a random nameÂ for the executable in the system temporary directory. The applet checksÂ what operating system is installed on the computer, and then it starts downloadingÂ the malicious file and executes it with a call to Runtime#exec.
This is only one of the many pieces of malware using the versatility of Java in order to spread havoc into usersâ€™ computers. You may remember the Boonana Trojan, or the fake Youtube applet we have analyzed earlier in February. In order to stay safe, try to avoid installing third-party plugins from websites you donâ€™t fully trust. Using an antivirus solution will also increase your level of protection and might save you hours of maintenance.
This article is based on the technical information provided courtesy of Csaba-Zsolt Juhos, BitDefender VirusÂ Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.