For Consumer

Virus Profile: JV/Exploit-Blacole.q

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/11/2012
Date Added: 8/11/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6800
Removal Instructions
   
 
 
   

Description

      This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

F-secure - Exploit.Java.Blacole.O
Microsoft - Exploit:Java/Blacole.GD
Nod32  - Java/Exploit.CVE-2012-1723.AV trojan
Avira  - Java/Dldr.Kara.AC.1

Indication of Infection

The exploit may download arbitrary files.
This exploit attempts to download and execute additional malware to the

Methods of Infection

 This threat exploits an unpatched vulnerability in Sun Microsystems Java.
 This Trojan can be installed while browsing compromised websites.
   

Virus Characteristics

JV/Exploit-Blacole.q is a detection for malicious Java code that exploits CVE2012-1723.

"Exploit-CVE2012-1723" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

This exploit may be encountered when visiting a compromised webpage that contains the malicious code.

The code is created by an attacker using the "Blackhole" Exploit Kit and inserted into a compromised webpage.

When the page is visited by a user running vulnerable versions of Java, the malicious Java class runs and allows the execution of arbitrary code.

The vulnerability exists due to type confusion between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class.

The malicious Java package may contain the following malicious Java class files:

  •  rt0a.class
  •  rt0b.class
  •  rt0c.class
  •  rt0d.class

Upon successful exploitation tries to connect download other payload through remote port 5152 and listen to a Random port

Upon successful exploitation it creates the following file in the below location in order to execute the payload

  •  %temp%\V.class [Detected as Exploit-CVE2012-1723]
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).