Virus Profile: Generic.dx!bhnh

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/26/2012
Date Added: 12/26/2012
Origin: Unknown
Length: varies
Type: Trojan
Subtype: Exploit
DAT Required: 6908
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Drweb             -       Exploit.CVE2012-0507.9
  • Fortinet           -       W32/JavaDl.JY!tr
  • Gdata              -       Java:CVE-2012-0507-BM [Expl]
  • Microsoft        -       Exploit:Java/CVE-2012-0507!ldr
  • Symantec       -       Trojan.Maljava
  • Nod32            -       Java/Exploit.CVE-2012-0507.Z trojan (variant)

Indication of Infection

  •  The exploit may download arbitrary files.
  •  This exploit attempts to download and execute additional malware to the infected

Methods of Infection

  • This threat exploits an unpatched vulnerability in Sun Microsystems Java.
  • This Trojan can be installed while browsing compromised websites.
   

Virus Characteristics

Generic.dx!bhnh is a detection for Java applets that are written with malicious intention to Downloads other payloads and execute them without user consent. The applet malware exploits a Java Runtime Vulnerability as explained in exploit CVE-2012-0507.

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 5(update 33),6(Update 30) and 7(update 2) and earlier updates allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

This vulnerability is triggered due to the way error objects are handled by the vulnerable JavaScript engine. Normally Java Script Engines ensure that it executes only trusted code within the Java Runtime Environment as opposed to untrusted Applet code.

The exploit first creates an error object which the vulnerable Java Script Engine cannot handle, and then it executes a script that disables the Java Security Manager using the "toString" method. It then throws an Exception and proceeds further and calls with the malicious class file to execute the arbitrary code.

In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet. 

The malicious HTML passes the encrypted URL of the file to download and execute as the parameter to the applet.

The JAR file contains class files in a package which triggers the Vulnerability

  •  bfb.class (Detected as generic.dx!bhnh)             
  •  etui.class (Download the malicious URL) (Detected as generic exploit!wfl)                  
  •  ovm.class (Disables the Java Security Manager) (Detected as generic exploit!wfk)         
  •  tyu.class (Applet class) (Detected as generic exploit!wfk)         
  •  ulk.class (Exploit class) (Detected as generic exploit!wfk)   
  •  xxx.class (Vulnerability triggering class file) (Detected as generic.dx!bhnj)         
  •  yte.class (Java Script Engine)(Detected as generic.dx!bhnh)     

Upon successful exploitation may lead to the download and execution of arbitrary files in the compromised system.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95