For Consumer

Virus Profile: Downloader-BCS

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/18/2007
Date Added: 6/18/2007
Origin: N/A
Length: game.class (24,739 bytes)
Type: Trojan
Subtype: Downloader
DAT Required: 5055
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

Aliases

  • Microsoft  - Exploit:Java/CVE-2012-1723.AV
  • Norman   - Obfuscated.WRO
  • Symantec  - Trojan.Maljava
  • TrendMicro-HouseCall - TROJ_GEN.F47V0723

Indication of Infection

The exploit may download arbitrary files.

This exploit attempts to download and execute additional malware to the infected system.

 

  •  Outgoing HTTP traffic to the domain  http://216.32.92[blocked]/

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Methods of Infection

This threat exploits an unpatched vulnerability in Sun Microsystems Java.

This Trojan can be installed while browsing compromised websites.

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is run on the victim machine in a way that assists in masking its activity.

Aliases

Exploit.java.gimsh.a (Kaspersky), Troj/Dloadr-AYQ (Sophos)
   

Virus Characteristics

------------Updated on 31 Oct 2013------------------------

Aliases –

Kaspersky    -    Trojan-Downloader.Java.OpenConnection.dg
Ikarus        -    Trojan-Downloader.Java.OpenConnection
Microsoft    -    TrojanDownloader:Java/OpenConnection.JS
Symantec    -    Trojan.Maljava

“Downloader-BCS” is for Java applets that are written with malicious intention to Downloads other payloads and execute them without user consent. 

The arbitrary file is a URL is to create a java.net.URL object, then call its openStream() and openConnection() method. The method handles the details of creating the connection, issuing an HTTP GET request, and retrieving the response data.

In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL as parameter to the applet to download and execute the payload. 

“Downloader-BCS” is used to decode the malicious URL which is passed from the compromised website and download the payload under %temp% directory and execute the same.

Upon successful exploitation the Trojan may tries to download the payloads in the below location:

 

  •     %temp%\[Random no.].exe


The below obfuscated code confirms that the malware get the malicious URL and download the payload as [Random no].exe which get executed upon successful exploitation.

------------- Updated 1st August 2012 -------------------

"Exploit-CVE2012-1723" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

This exploit may be encountered when visiting a compromised webpage that contains the malicious code.

The code is created by an attacker using the "Blackhole" Exploit Kit and inserted into a compromised webpage.

When the page is visited by a user running vulnerable versions of Java, the malicious Java class runs and allows the execution of arbitrary code.

The vulnerability exists due to “type confusion” between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class.

The malicious Java package may contain the following malicious Java class files:

 1. t_eea/t_eea [Detected as Exploit-CVE2012-1723.a]
 2. t_eea/t_eeb [Detected as Exploit-CVE2012-1723.a]
 3. t_eea/t_eec [Detected as Exploit-CVE2012-1723.a]
 4. t_eea/t_eed [Detected as Exploit-CVE2012-1723.a]

-----------------------------------------------------------------------------------------------------------------------------

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

The trojan exploits a Buffer Overflow Vulnerability in Java Runtime Environment (JRE) while parsing certain image file formats like GIF.

When the applet is run on the victim machine having a vulnerable installation of Java Runtime Environment, the trojan downloads another malware from the remote server and executes it.

The following files are downloaded . The applet file (game.class) is of 24,739 bytes in size.

  • game.class --> Malicious Java applet
  • picsj.exe  --> variant of Proxy-Agent.o

The trojan automatically connects to the following domain to download additional malware.

  • http://216.32.92[blocked]/
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).