For Home

Virus Profile: Downloader-BCS

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/18/2007
Date Added: 6/18/2007
Origin: N/A
Length: game.class (24,739 bytes)
Type: Trojan
Subtype: Downloader
DAT Required: 5055
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

Aliases

  • Microsoft  - Exploit:Java/CVE-2012-1723.AV
  • Norman   - Obfuscated.WRO
  • Symantec  - Trojan.Maljava
  • TrendMicro-HouseCall - TROJ_GEN.F47V0723

Indication of Infection

The exploit may download arbitrary files.

This exploit attempts to download and execute additional malware to the infected system.

 

  •  Outgoing HTTP traffic to the domain  http://216.32.92[blocked]/

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Methods of Infection

This threat exploits an unpatched vulnerability in Sun Microsystems Java.

This Trojan can be installed while browsing compromised websites.

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is run on the victim machine in a way that assists in masking its activity.

Aliases

Exploit.java.gimsh.a (Kaspersky), Troj/Dloadr-AYQ (Sophos)
   

Virus Characteristics

------------- Updated 1st August 2012 -------------------

"Exploit-CVE2012-1723" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

This exploit may be encountered when visiting a compromised webpage that contains the malicious code.

The code is created by an attacker using the "Blackhole" Exploit Kit and inserted into a compromised webpage.

When the page is visited by a user running vulnerable versions of Java, the malicious Java class runs and allows the execution of arbitrary code.

The vulnerability exists due to “type confusion” between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class.

The malicious Java package may contain the following malicious Java class files:

 1. t_eea/t_eea [Detected as Exploit-CVE2012-1723.a]
 2. t_eea/t_eeb [Detected as Exploit-CVE2012-1723.a]
 3. t_eea/t_eec [Detected as Exploit-CVE2012-1723.a]
 4. t_eea/t_eed [Detected as Exploit-CVE2012-1723.a]

-----------------------------------------------------------------------------------------------------------------------------

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

The trojan exploits a Buffer Overflow Vulnerability in Java Runtime Environment (JRE) while parsing certain image file formats like GIF.

When the applet is run on the victim machine having a vulnerable installation of Java Runtime Environment, the trojan downloads another malware from the remote server and executes it.

The following files are downloaded . The applet file (game.class) is of 24,739 bytes in size.

  • game.class --> Malicious Java applet
  • picsj.exe  --> variant of Proxy-Agent.o

The trojan automatically connects to the following domain to download additional malware.

  • http://216.32.92[blocked]/
   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.